diff options
author | Remi Collet <remi@remirepo.net> | 2022-05-11 10:48:41 +0200 |
---|---|---|
committer | Remi Collet <remi@php.net> | 2022-05-11 10:48:41 +0200 |
commit | 43ce9a2b4f9c0878d38d9b064b2c5fc47f04cf7b (patch) | |
tree | f4709016b21267bcfafae6fd997ee6234226bcd4 |
dup 8.1
40 files changed, 14038 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..01f0400 --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +clog +package-*.xml +*.tgz +*.tar.bz2 +*.tar.gz +*.tar.xz +*.tar.xz.asc +*.src.rpm +*/*rpm diff --git a/10-opcache.ini b/10-opcache.ini new file mode 100644 index 0000000..a5be172 --- /dev/null +++ b/10-opcache.ini @@ -0,0 +1,153 @@ +; Enable Zend OPcache extension module +zend_extension=opcache + +; Determines if Zend OPCache is enabled +opcache.enable=1 + +; Determines if Zend OPCache is enabled for the CLI version of PHP +opcache.enable_cli=1 + +; The OPcache shared memory storage size. +;opcache.memory_consumption=128 + +; The amount of memory for interned strings in Mbytes. +;opcache.interned_strings_buffer=8 + +; The maximum number of keys (scripts) in the OPcache hash table. +; Only numbers between 200 and 1000000 are allowed. +;opcache.max_accelerated_files=10000 + +; The maximum percentage of "wasted" memory until a restart is scheduled. +;opcache.max_wasted_percentage=5 + +; When this directive is enabled, the OPcache appends the current working +; directory to the script key, thus eliminating possible collisions between +; files with the same name (basename). Disabling the directive improves +; performance, but may break existing applications. +;opcache.use_cwd=1 + +; When disabled, you must reset the OPcache manually or restart the +; webserver for changes to the filesystem to take effect. +;opcache.validate_timestamps=1 + +; How often (in seconds) to check file timestamps for changes to the shared +; memory storage allocation. ("1" means validate once per second, but only +; once per request. "0" means always validate) +;opcache.revalidate_freq=2 + +; Enables or disables file search in include_path optimization +;opcache.revalidate_path=0 + +; If disabled, all PHPDoc comments are dropped from the code to reduce the +; size of the optimized code. +;opcache.save_comments=1 + +; If enabled, compilation warnings (including notices and deprecations) will +; be recorded and replayed each time a file is included. Otherwise, compilation +; warnings will only be emitted when the file is first cached. +;opcache.record_warnings=0 + +; Allow file existence override (file_exists, etc.) performance feature. +;opcache.enable_file_override=0 + +; A bitmask, where each bit enables or disables the appropriate OPcache +; passes +;opcache.optimization_level=0x7FFFBFFF + +; This hack should only be enabled to work around "Cannot redeclare class" +; errors. +;opcache.dups_fix=0 + +; The location of the OPcache blacklist file (wildcards allowed). +; Each OPcache blacklist file is a text file that holds the names of files +; that should not be accelerated. +opcache.blacklist_filename=/etc/php.d/opcache*.blacklist + +; Allows exclusion of large files from being cached. By default all files +; are cached. +;opcache.max_file_size=0 + +; Check the cache checksum each N requests. +; The default value of "0" means that the checks are disabled. +;opcache.consistency_checks=0 + +; How long to wait (in seconds) for a scheduled restart to begin if the cache +; is not being accessed. +;opcache.force_restart_timeout=180 + +; OPcache error_log file name. Empty string assumes "stderr". +;opcache.error_log= + +; All OPcache errors go to the Web server log. +; By default, only fatal errors (level 0) or errors (level 1) are logged. +; You can also enable warnings (level 2), info messages (level 3) or +; debug messages (level 4). +;opcache.log_verbosity_level=1 + +; Preferred Shared Memory back-end. Leave empty and let the system decide. +;opcache.preferred_memory_model= + +; Protect the shared memory from unexpected writing during script execution. +; Useful for internal debugging only. +;opcache.protect_memory=0 + +; Allows calling OPcache API functions only from PHP scripts which path is +; started from specified string. The default "" means no restriction +;opcache.restrict_api= + +; Enables and sets the second level cache directory. +; It should improve performance when SHM memory is full, at server restart or +; SHM reset. The default "" disables file based caching. +; RPM note : file cache directory must be owned by process owner +; for mod_php, see /etc/httpd/conf.d/php.conf +; for php-fpm, see /etc/php-fpm.d/*conf +;opcache.file_cache= + +; Enables or disables opcode caching in shared memory. +;opcache.file_cache_only=0 + +; Enables or disables checksum validation when script loaded from file cache. +;opcache.file_cache_consistency_checks=1 + +; Implies opcache.file_cache_only=1 for a certain process that failed to +; reattach to the shared memory (for Windows only). Explicitly enabled file +; cache is required. +;opcache.file_cache_fallback=1 + +; Enables or disables copying of PHP code (text segment) into HUGE PAGES. +; This should improve performance, but requires appropriate OS configuration. +opcache.huge_code_pages=0 + +; Validate cached file permissions. +; Leads OPcache to check file readability on each access to cached file. +; This directive should be enabled in shared hosting environment, when few +; users (PHP-FPM pools) reuse the common OPcache shared memory. +;opcache.validate_permission=0 + +; Prevent name collisions in chroot'ed environment. +; This directive prevents file name collisions in different "chroot" +; environments. It should be enabled for sites that may serve requests in +; different "chroot" environments. +;opcache.validate_root=0 + +; If specified, it produces opcode dumps for debugging different stages of +; optimizations. +;opcache.opt_debug_level=0 + +; Specifies a PHP script that is going to be compiled and executed at server +; start-up. +; http://php.net/opcache.preload +;opcache.preload= + +; Preloading code as root is not allowed for security reasons. This directive +; facilitates to let the preloading to be run as another user. +; http://php.net/opcache.preload_user +;opcache.preload_user= + +; Prevents caching files that are less than this number of seconds old. It +; protects from caching of incompletely updated files. In case all file updates +; on your site are atomic, you may increase performance by setting it to "0". +;opcache.file_update_protection=2 + +; Absolute path used to store shared lockfiles (for *nix only). +;opcache.lockfile_path=/tmp diff --git a/20-ffi.ini b/20-ffi.ini new file mode 100644 index 0000000..0bce40d --- /dev/null +++ b/20-ffi.ini @@ -0,0 +1,13 @@ +; Enable ffi extension module +extension=ffi + +; FFI API restriction. Possibe values: +; "preload" - enabled in CLI scripts and preloaded files (default) +; "false" - always disabled +; "true" - always enabled +;ffi.enable=preload + +; List of headers files to preload, wildcard patterns allowed. +; /usr/share/php/preload used by for RPM packages +; /usr/local/share/php/preload may be used for local files +ffi.preload=/usr/share/php/preload/*.h:/usr/local/share/php/preload/*.h diff --git a/20-oci8.ini b/20-oci8.ini new file mode 100644 index 0000000..46e0668 --- /dev/null +++ b/20-oci8.ini @@ -0,0 +1,53 @@ +; Enable oci8 extension module +extension=oci8 + +; Connection: Enables privileged connections using external +; credentials (OCI_SYSOPER, OCI_SYSDBA) +; http://php.net/oci8.privileged-connect +;oci8.privileged_connect = Off + +; Connection: The maximum number of persistent OCI8 connections per +; process. Using -1 means no limit. +; http://php.net/oci8.max-persistent +;oci8.max_persistent = -1 + +; Connection: The maximum number of seconds a process is allowed to +; maintain an idle persistent connection. Using -1 means idle +; persistent connections will be maintained forever. +; http://php.net/oci8.persistent-timeout +;oci8.persistent_timeout = -1 + +; Connection: The number of seconds that must pass before issuing a +; ping during oci_pconnect() to check the connection validity. When +; set to 0, each oci_pconnect() will cause a ping. Using -1 disables +; pings completely. +; http://php.net/oci8.ping-interval +;oci8.ping_interval = 60 + +; Connection: Set this to a user chosen connection class to be used +; for all pooled server requests with Oracle 11g Database Resident +; Connection Pooling (DRCP). To use DRCP, this value should be set to +; the same string for all web servers running the same application, +; the database pool must be configured, and the connection string must +; specify to use a pooled server. +;oci8.connection_class = + +; High Availability: Using On lets PHP receive Fast Application +; Notification (FAN) events generated when a database node fails. The +; database must also be configured to post FAN events. +;oci8.events = Off + +; Tuning: This option enables statement caching, and specifies how +; many statements to cache. Using 0 disables statement caching. +; http://php.net/oci8.statement-cache-size +;oci8.statement_cache_size = 20 + +; Tuning: Enables statement prefetching and sets the default number of +; rows that will be fetched automatically after statement execution. +; http://php.net/oci8.default-prefetch +;oci8.default_prefetch = 100 + +; Compatibility. Using On means oci_close() will not close +; oci_connect() and oci_new_connect() connections. +; http://php.net/oci8.old-oci-close-semantics +;oci8.old_oci_close_semantics = Off diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..a5696eb --- /dev/null +++ b/Makefile @@ -0,0 +1,6 @@ +SRCDIR := $(shell pwd) +NAME := $(shell basename $(SRCDIR)) +include ../../common/Makefile + +srpm: + rpmbuild $(RPMDEFINES) $(SRCDEFINES) --define 'scl php80' -bs $(NAME).spec @@ -0,0 +1,3 @@ +Update to 8.0.19 - http://www.php.net/releases/8_0_19.php + +use oracle client library version 21.6 diff --git a/failed.txt b/failed.txt new file mode 100644 index 0000000..1495908 --- /dev/null +++ b/failed.txt @@ -0,0 +1,20 @@ +===== 8.0.19 (2022-05-12) + +$ grep -ar 'Tests failed' /var/lib/mock/*/build.log + +/var/lib/mock/scl80el7x/build.log:Tests failed : 0 +/var/lib/mock/scl80el8x/build.log:Tests failed : 0 +/var/lib/mock/scl80el9x/build.log:Tests failed : 0 +/var/lib/mock/scl80fc34x/build.log:Tests failed : 0 +/var/lib/mock/scl80fc35x/build.log:Tests failed : 0 +/var/lib/mock/scl80fc36x/build.log:Tests failed : 0 + + + + +(1) proc_open give erratic test results :( +(2) test issue (fixed upstream) +(3) known issue +(4) related to tzdata +(5) need investigation +(6) // issue diff --git a/macros.php b/macros.php new file mode 100644 index 0000000..3943a74 --- /dev/null +++ b/macros.php @@ -0,0 +1,16 @@ +# +# Interface versions exposed by PHP: +# +%@SCL@php_core_api @PHP_APIVER@ +%@SCL@php_zend_api @PHP_ZENDVER@ +%@SCL@php_pdo_api @PHP_PDOVER@ +%@SCL@php_version @PHP_VERSION@ + +%@SCL@php_extdir @LIBDIR@/php/modules + +%@SCL@php_inidir @ETCDIR@/php.d + +%@SCL@php_incldir @INCDIR@/php + +%@SCL@__php @BINDIR@/php + diff --git a/opcache-default.blacklist b/opcache-default.blacklist new file mode 100644 index 0000000..0cc2e18 --- /dev/null +++ b/opcache-default.blacklist @@ -0,0 +1,11 @@ +; The blacklist file is a text file that holds the names of files +; that should not be accelerated. The file format is to add each filename +; to a new line. The filename may be a full path or just a file prefix +; (i.e., /var/www/x blacklists all the files and directories in /var/www +; that start with 'x'). Line starting with a ; are ignored (comments). +; Files are usually triggered by one of the following three reasons: +; 1) Directories that contain auto generated code, like Smarty or ZFW cache. +; 2) Code that does not work well when accelerated, due to some delayed +; compile time evaluation. +; 3) Code that triggers an OPcache bug. + diff --git a/php-7.0.0-odbctimer.patch b/php-7.0.0-odbctimer.patch new file mode 100644 index 0000000..18bcf0f --- /dev/null +++ b/php-7.0.0-odbctimer.patch @@ -0,0 +1,45 @@ +diff -up php-7.0.0RC1/ext/odbc/php_odbc.c.odbctimer php-7.0.0RC1/ext/odbc/php_odbc.c +--- php-7.0.0RC1/ext/odbc/php_odbc.c.odbctimer 2015-08-18 23:39:26.000000000 +0200 ++++ php-7.0.0RC1/ext/odbc/php_odbc.c 2015-08-22 07:44:51.170196466 +0200 +@@ -434,7 +434,8 @@ static void _free_odbc_result(zend_resou + efree(res->values); + res->values = NULL; + } +- if (res->stmt) { ++ /* If aborted via timer expiration, don't try to call any unixODBC function */ ++ if (res->stmt && !(PG(connection_status) & PHP_CONNECTION_TIMEOUT)) { + #if defined(HAVE_SOLID) || defined(HAVE_SOLID_30) || defined(HAVE_SOLID_35) + SQLTransact(res->conn_ptr->henv, res->conn_ptr->hdbc, + (SQLUSMALLINT) SQL_COMMIT); +@@ -484,9 +485,12 @@ static void _close_odbc_conn(zend_resour + } + } ZEND_HASH_FOREACH_END(); + +- safe_odbc_disconnect(conn->hdbc); +- SQLFreeConnect(conn->hdbc); +- SQLFreeEnv(conn->henv); ++ /* If aborted via timer expiration, don't try to call any unixODBC function */ ++ if (!(PG(connection_status) & PHP_CONNECTION_TIMEOUT)) { ++ safe_odbc_disconnect(conn->hdbc); ++ SQLFreeConnect(conn->hdbc); ++ SQLFreeEnv(conn->henv); ++ } + efree(conn); + ODBCG(num_links)--; + } +@@ -509,9 +513,12 @@ static void _close_odbc_pconn(zend_resou + } + } ZEND_HASH_FOREACH_END(); + +- safe_odbc_disconnect(conn->hdbc); +- SQLFreeConnect(conn->hdbc); +- SQLFreeEnv(conn->henv); ++ /* If aborted via timer expiration, don't try to call any unixODBC function */ ++ if (!(PG(connection_status) & PHP_CONNECTION_TIMEOUT)) { ++ safe_odbc_disconnect(conn->hdbc); ++ SQLFreeConnect(conn->hdbc); ++ SQLFreeEnv(conn->henv); ++ } + free(conn); + + ODBCG(num_links)--; diff --git a/php-7.0.7-curl.patch b/php-7.0.7-curl.patch new file mode 100644 index 0000000..218db98 --- /dev/null +++ b/php-7.0.7-curl.patch @@ -0,0 +1,15 @@ +diff -up php-7.0.7RC1/ext/curl/interface.c.curltls php-7.0.7RC1/ext/curl/interface.c +--- php-7.0.7RC1/ext/curl/interface.c.curltls 2016-05-10 17:28:33.000000000 +0200 ++++ php-7.0.7RC1/ext/curl/interface.c 2016-05-12 07:43:00.900419946 +0200 +@@ -1257,7 +1257,11 @@ PHP_MINIT_FUNCTION(curl) + + #if LIBCURL_VERSION_NUM >= 0x072200 /* Available since 7.34.0 */ + REGISTER_CURL_CONSTANT(CURLOPT_LOGIN_OPTIONS); ++#endif + ++#if LIBCURL_VERSION_NUM >= 0x071300 /* Available since 7.19.0 (in upstream curl 7.34) ++ backported in RHEL-7 curl-7.29.0-16.el7 rhbz#1012136 ++ backported in RHEL-6 curl-7.19.7-43.el6 rhbz#1036789 */ + REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_0); + REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_1); + REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_2); diff --git a/php-7.2.0-includedir.patch b/php-7.2.0-includedir.patch new file mode 100644 index 0000000..7a42cd6 --- /dev/null +++ b/php-7.2.0-includedir.patch @@ -0,0 +1,11 @@ +--- php-7.2.0/configure.ac.includedir ++++ php-7.2.0/configure.ac +@@ -1230,7 +1230,7 @@ + EXPANDED_DATADIR=$datadir + EXPANDED_PHP_CONFIG_FILE_PATH=`eval echo "$PHP_CONFIG_FILE_PATH"` + EXPANDED_PHP_CONFIG_FILE_SCAN_DIR=`eval echo "$PHP_CONFIG_FILE_SCAN_DIR"` +-INCLUDE_PATH=.:$EXPANDED_PEAR_INSTALLDIR ++INCLUDE_PATH=.:$EXPANDED_PEAR_INSTALLDIR:${EXPANDED_DATADIR}/php:/usr/share/pear:/usr/share/php + + exec_prefix=$old_exec_prefix + libdir=$old_libdir diff --git a/php-7.2.0-oci8conf.patch b/php-7.2.0-oci8conf.patch new file mode 100644 index 0000000..0ad16a1 --- /dev/null +++ b/php-7.2.0-oci8conf.patch @@ -0,0 +1,35 @@ +diff -up ./ext/ldap/php_ldap.h.remi-oci8 ./ext/ldap/php_ldap.h +--- ./ext/ldap/php_ldap.h.remi-oci8 2017-06-20 15:45:35.000000000 +0200 ++++ ./ext/ldap/php_ldap.h 2017-06-20 16:55:01.640203868 +0200 +@@ -27,7 +27,7 @@ + #include <lber.h> + #endif + +-#include <ldap.h> ++#include "/usr/include/ldap.h" + + extern zend_module_entry ldap_module_entry; + #define ldap_module_ptr &ldap_module_entry +diff -up ./ext/oci8/config.m4.remi-oci8 ./ext/oci8/config.m4 +--- ./ext/oci8/config.m4.remi-oci8 2017-06-20 15:45:39.000000000 +0200 ++++ ./ext/oci8/config.m4 2017-06-20 16:55:01.640203868 +0200 +@@ -372,6 +372,7 @@ if test "$PHP_OCI8" != "no"; then + + dnl Header directory for Instant Client SDK RPM install + OCISDKRPMINC=`echo "$PHP_OCI8_INSTANT_CLIENT" | $PHP_OCI8_SED -e 's!^/usr/lib/oracle/\(.*\)/client\('${PHP_OCI8_IC_LIBDIR_SUFFIX}'\)*/lib[/]*$!/usr/include/oracle/\1/client\2!'` ++ OCISDKRPMINC=`echo "$PHP_OCI8_INSTANT_CLIENT" | $PHP_OCI8_SED -e 's!^/usr/\(lib64\|lib\)/oracle/\(.*\)/\(client64\|client\)/lib[/]*$!/usr/include/oracle/\2/\3!'` + + dnl Header directory for Instant Client SDK zip file install + OCISDKZIPINC=$PHP_OCI8_INSTANT_CLIENT/sdk/include +diff -up ./ext/pdo_oci/config.m4.remi-oci8 ./ext/pdo_oci/config.m4 +--- ./ext/pdo_oci/config.m4.remi-oci8 2017-06-20 16:55:01.640203868 +0200 ++++ ./ext/pdo_oci/config.m4 2017-06-20 17:16:03.053538358 +0200 +@@ -93,7 +93,7 @@ if test "$PHP_PDO_OCI" != "no"; then + + AC_MSG_CHECKING([for oci.h]) + dnl Header directory for Instant Client SDK RPM install +- OCISDKRPMINC=`echo "$PDO_OCI_LIB_DIR" | $PHP_PDO_OCI_SED -e 's!^\(.*\)/lib/oracle/\(.*\)/\('${PDO_OCI_CLIENT_DIR}'\)/lib[/]*$!\1/include/oracle/\2/\3!'` ++ OCISDKRPMINC=`echo "$PDO_OCI_LIB_DIR" | $PHP_PDO_OCI_SED -e 's!^\(.*\)/\(lib64\|lib\)/oracle/\(.*\)/\('${PDO_OCI_CLIENT_DIR}'\)/lib[/]*$!\1/include/oracle/\3/\4!'` + + dnl Header directory for manual installation + OCISDKMANINC=`echo "$PDO_OCI_LIB_DIR" | $PHP_PDO_OCI_SED -e 's!^\(.*\)/lib[/]*$!\1/include!'` diff --git a/php-7.4.0-datetests.patch b/php-7.4.0-datetests.patch new file mode 100644 index 0000000..8c437e5 --- /dev/null +++ b/php-7.4.0-datetests.patch @@ -0,0 +1,98 @@ +diff -up ./ext/date/tests/bug33414-2.phpt.datetests ./ext/date/tests/bug33414-2.phpt +--- ./ext/date/tests/bug33414-2.phpt.datetests 2020-04-09 14:06:11.000000000 +0200 ++++ ./ext/date/tests/bug33414-2.phpt 2020-04-09 14:40:00.809433489 +0200 +@@ -74,10 +74,10 @@ $strtotime_tstamp = strtotime("next Frid + print "result=".date("l Y-m-d H:i:s T I", $strtotime_tstamp)."\n"; + print "wanted=Friday 00:00:00\n\n"; + ?> +---EXPECT-- ++--EXPECTF-- + TZ=Pacific/Rarotonga - wrong day. +-tStamp=Thursday 1970-01-01 17:17:17 -1030 0 +-result=Tuesday 1970-01-06 00:00:00 -1030 0 ++tStamp=Thursday 1970-01-01 17:17:17 %s ++result=Tuesday 1970-01-06 00:00:00 %s + wanted=Tuesday 00:00:00 + + TZ=Atlantic/South_Georgia - wrong day. +@@ -91,13 +91,13 @@ result=Monday 2005-04-04 00:00:00 EDT 1 + wanted=Monday 00:00:00 + + TZ=Pacific/Enderbury - wrong day, off by 2 days. +-tStamp=Thursday 1970-01-01 17:17:17 -12 0 +-result=Monday 1970-01-05 00:00:00 -12 0 ++tStamp=Thursday 1970-01-01 17:17:17 %s ++result=Monday 1970-01-05 00:00:00 %s + wanted=Monday 00:00:00 + + TZ=Pacific/Kiritimati - wrong day, off by 2 days. +-tStamp=Thursday 1970-01-01 17:17:17 -1040 0 +-result=Monday 1970-01-05 00:00:00 -1040 0 ++tStamp=Thursday 1970-01-01 17:17:17 %s ++result=Monday 1970-01-05 00:00:00 %s + wanted=Monday 00:00:00 + + TZ=America/Managua - wrong day. +@@ -106,13 +106,13 @@ result=Tuesday 2005-04-12 00:00:00 CDT 1 + wanted=Tuesday 00:00:00 + + TZ=Pacific/Pitcairn - wrong day. +-tStamp=Thursday 1970-01-01 17:17:17 -0830 0 +-result=Wednesday 1970-01-07 00:00:00 -0830 0 ++tStamp=Thursday 1970-01-01 17:17:17 %s ++result=Wednesday 1970-01-07 00:00:00 %s + wanted=Wednesday 00:00:00 + + TZ=Pacific/Fakaofo - wrong day. +-tStamp=Thursday 1970-01-01 17:17:17 -11 0 +-result=Saturday 1970-01-03 00:00:00 -11 0 ++tStamp=Thursday 1970-01-01 17:17:17 %s ++result=Saturday 1970-01-03 00:00:00 %s + wanted=Saturday 00:00:00 + + TZ=Pacific/Johnston - wrong day. +diff -up ./ext/date/tests/bug66985.phpt.datetests ./ext/date/tests/bug66985.phpt +--- ./ext/date/tests/bug66985.phpt.datetests 2020-04-09 14:06:11.000000000 +0200 ++++ ./ext/date/tests/bug66985.phpt 2020-04-09 14:40:37.099288185 +0200 +@@ -3,7 +3,7 @@ Bug #66985 (Some timezones are no longer + --FILE-- + <?php + $zones = array( +- "CST6CDT", "Cuba", "Egypt", "Eire", "EST5EDT", "Factory", "GB-Eire", ++ "CST6CDT", "Cuba", "Egypt", "Eire", "EST5EDT", "GB-Eire", + "GMT0", "Greenwich", "Hongkong", "Iceland", "Iran", "Israel", "Jamaica", + "Japan", "Kwajalein", "Libya", "MST7MDT", "Navajo", "NZ-CHAT", "Poland", + "Portugal", "PST8PDT", "Singapore", "Turkey", "Universal", "W-SU", +@@ -45,11 +45,6 @@ DateTimeZone Object + ) + DateTimeZone Object + ( +- [timezone_type] => 3 +- [timezone] => Factory +-) +-DateTimeZone Object +-( + [timezone_type] => 3 + [timezone] => GB-Eire + ) +diff -up ./ext/date/tests/strtotime3-64bit.phpt.datetests ./ext/date/tests/strtotime3-64bit.phpt +--- ./ext/date/tests/strtotime3-64bit.phpt.datetests 2020-04-09 14:06:11.000000000 +0200 ++++ ./ext/date/tests/strtotime3-64bit.phpt 2020-04-09 14:40:00.809433489 +0200 +@@ -44,7 +44,7 @@ foreach ($strs as $str) { + } + + ?> +---EXPECT-- ++--EXPECTF-- + bool(false) + bool(false) + string(31) "Thu, 15 Jun 2006 00:00:00 +0100" +@@ -53,7 +53,7 @@ bool(false) + string(31) "Fri, 16 Jun 2006 23:49:12 +0100" + bool(false) + string(31) "Fri, 16 Jun 2006 02:22:00 +0100" +-string(31) "Sun, 16 Jun 0222 02:22:00 -0036" ++string(31) "Sun, 16 Jun 0222 02:22:00 %s" + string(31) "Fri, 16 Jun 2006 02:22:33 +0100" + bool(false) + string(31) "Tue, 02 Mar 2004 00:00:00 +0000" diff --git a/php-7.4.0-httpd.patch b/php-7.4.0-httpd.patch new file mode 100644 index 0000000..34f7c8a --- /dev/null +++ b/php-7.4.0-httpd.patch @@ -0,0 +1,27 @@ +Disable MPM detection + +mod_php is build twice +- as NTS without option +- as ZTS using --enable-maintainer-zts + +diff --git a/sapi/apache2handler/config.m4 b/sapi/apache2handler/config.m4 +--- a/sapi/apache2handler/config.m4 ++++ b/sapi/apache2handler/config.m4 +@@ -105,17 +105,6 @@ if test "$PHP_APXS2" != "no"; then + ;; + esac + +- if test "$APACHE_VERSION" -lt 2004001; then +- APXS_MPM=`$APXS -q MPM_NAME` +- if test "$APXS_MPM" != "prefork" && test "$APXS_MPM" != "peruser" && test "$APXS_MPM" != "itk"; then +- PHP_BUILD_THREAD_SAFE +- fi +- else +- APACHE_THREADED_MPM=`$APXS_HTTPD -V 2>/dev/null | grep 'threaded:.*yes'` +- if test -n "$APACHE_THREADED_MPM"; then +- PHP_BUILD_THREAD_SAFE +- fi +- fi + AC_MSG_RESULT(yes) + PHP_SUBST(APXS) + else diff --git a/php-7.4.0-ldap_r.patch b/php-7.4.0-ldap_r.patch new file mode 100644 index 0000000..13566b4 --- /dev/null +++ b/php-7.4.0-ldap_r.patch @@ -0,0 +1,19 @@ + +Use -lldap_r by default. + +diff -up php-7.4.0RC2/ext/ldap/config.m4.ldap_r php-7.4.0RC2/ext/ldap/config.m4 +--- php-7.4.0RC2/ext/ldap/config.m4.ldap_r 2019-09-17 10:21:24.769200812 +0200 ++++ php-7.4.0RC2/ext/ldap/config.m4 2019-09-17 10:21:30.658181771 +0200 +@@ -68,7 +68,11 @@ if test "$PHP_LDAP" != "no"; then + dnl -pc removal is a hack for clang + MACHINE_INCLUDES=$($CC -dumpmachine | $SED 's/-pc//') + +- if test -f $LDAP_LIBDIR/liblber.a || test -f $LDAP_LIBDIR/liblber.$SHLIB_SUFFIX_NAME || test -f $LDAP_LIBDIR/$MACHINE_INCLUDES/liblber.a || test -f $LDAP_LIBDIR/$MACHINE_INCLUDES/liblber.$SHLIB_SUFFIX_NAME; then ++ if test -f $LDAP_LIBDIR/libldap_r.$SHLIB_SUFFIX_NAME; then ++ PHP_ADD_LIBRARY_WITH_PATH(lber, $LDAP_LIBDIR, LDAP_SHARED_LIBADD) ++ PHP_ADD_LIBRARY_WITH_PATH(ldap_r, $LDAP_LIBDIR, LDAP_SHARED_LIBADD) ++ ++ elif test -f $LDAP_LIBDIR/liblber.a || test -f $LDAP_LIBDIR/liblber.$SHLIB_SUFFIX_NAME || test -f $LDAP_LIBDIR/$MACHINE_INCLUDES/liblber.a || test -f $LDAP_LIBDIR/$MACHINE_INCLUDES/liblber.$SHLIB_SUFFIX_NAME; then + PHP_ADD_LIBRARY_WITH_PATH(lber, $LDAP_LIBDIR, LDAP_SHARED_LIBADD) + PHP_ADD_LIBRARY_WITH_PATH(ldap, $LDAP_LIBDIR, LDAP_SHARED_LIBADD) + diff --git a/php-7.4.0-libdb.patch b/php-7.4.0-libdb.patch new file mode 100644 index 0000000..d7c6289 --- /dev/null +++ b/php-7.4.0-libdb.patch @@ -0,0 +1,92 @@ +diff -up ./ext/dba/config.m4.libdb ./ext/dba/config.m4 +--- ./ext/dba/config.m4.libdb 2020-04-09 14:06:11.000000000 +0200 ++++ ./ext/dba/config.m4 2020-04-09 14:35:08.208605065 +0200 +@@ -375,61 +375,13 @@ if test "$PHP_DB4" != "no"; then + dbdp4="/usr/local/BerkeleyDB.4." + dbdp5="/usr/local/BerkeleyDB.5." + for i in $PHP_DB4 ${dbdp5}1 ${dbdp5}0 ${dbdp4}8 ${dbdp4}7 ${dbdp4}6 ${dbdp4}5 ${dbdp4}4 ${dbdp4}3 ${dbdp4}2 ${dbdp4}1 ${dbdp}0 /usr/local /usr; do +- if test -f "$i/db5/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/db5/db.h +- break +- elif test -f "$i/db4/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/db4/db.h +- break +- elif test -f "$i/include/db5.3/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db5.3/db.h +- break +- elif test -f "$i/include/db5.1/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db5.1/db.h +- break +- elif test -f "$i/include/db5.0/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db5.0/db.h +- break +- elif test -f "$i/include/db4.8/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.8/db.h +- break +- elif test -f "$i/include/db4.7/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.7/db.h +- break +- elif test -f "$i/include/db4.6/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.6/db.h +- break +- elif test -f "$i/include/db4.5/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.5/db.h +- break +- elif test -f "$i/include/db4/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4/db.h +- break +- elif test -f "$i/include/db/db4.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db/db4.h +- break +- elif test -f "$i/include/db4.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.h +- break +- elif test -f "$i/include/db.h"; then ++ if test -f "$i/include/db.h"; then + THIS_PREFIX=$i + THIS_INCLUDE=$i/include/db.h + break + fi + done +- PHP_DBA_DB_CHECK(4, db-5.3 db-5.1 db-5.0 db-4.8 db-4.7 db-4.6 db-4.5 db-4.4 db-4.3 db-4.2 db-4.1 db-4.0 db-4 db4 db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)]) ++ PHP_DBA_DB_CHECK(4, db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)]) + fi + PHP_DBA_STD_RESULT(db4,Berkeley DB4) + +diff -up ./ext/dba/dba.c.libdb ./ext/dba/dba.c +--- ./ext/dba/dba.c.libdb 2020-04-09 14:06:11.000000000 +0200 ++++ ./ext/dba/dba.c 2020-04-09 14:36:30.593275190 +0200 +@@ -50,6 +50,10 @@ + #include "php_lmdb.h" + #include "dba_arginfo.h" + ++#ifdef DB4_INCLUDE_FILE ++#include DB4_INCLUDE_FILE ++#endif ++ + PHP_MINIT_FUNCTION(dba); + PHP_MSHUTDOWN_FUNCTION(dba); + PHP_MINFO_FUNCTION(dba); +@@ -459,6 +463,10 @@ PHP_MINFO_FUNCTION(dba) + + php_info_print_table_start(); + php_info_print_table_row(2, "DBA support", "enabled"); ++#ifdef DB_VERSION_STRING ++ php_info_print_table_row(2, "libdb header version", DB_VERSION_STRING); ++ php_info_print_table_row(2, "libdb library version", db_version(NULL, NULL, NULL)); ++#endif + if (handlers.s) { + smart_str_0(&handlers); + php_info_print_table_row(2, "Supported handlers", ZSTR_VAL(handlers.s)); diff --git a/php-7.4.0-phpize.patch b/php-7.4.0-phpize.patch new file mode 100644 index 0000000..fb99f3e --- /dev/null +++ b/php-7.4.0-phpize.patch @@ -0,0 +1,35 @@ +diff -up ./scripts/phpize.in.headers ./scripts/phpize.in +--- ./scripts/phpize.in.headers 2019-07-23 10:05:11.000000000 +0200 ++++ ./scripts/phpize.in 2019-07-23 10:18:13.648098089 +0200 +@@ -165,6 +165,15 @@ phpize_autotools() + $PHP_AUTOHEADER || exit 1 + } + ++phpize_check_headers() ++{ ++ if test ! -f $includedir/main/php.h; then ++ echo "Can't find PHP headers in $includedir" ++ echo "The php-devel package is required for use of this command." ++ exit 1 ++ fi ++} ++ + # Main script + + case "$1" in +@@ -183,12 +192,15 @@ case "$1" in + + # Version + --version|-v) ++ phpize_check_headers + phpize_print_api_numbers + exit 0 + ;; + + # Default + *) ++ phpize_check_headers ++ + phpize_check_configm4 0 + + phpize_check_build_files diff --git a/php-8.0.0-embed.patch b/php-8.0.0-embed.patch new file mode 100644 index 0000000..27533ea --- /dev/null +++ b/php-8.0.0-embed.patch @@ -0,0 +1,25 @@ +diff -up ./sapi/embed/config.m4.embed ./sapi/embed/config.m4 +--- ./sapi/embed/config.m4.embed 2020-07-07 13:51:05.879764972 +0200 ++++ ./sapi/embed/config.m4 2020-07-07 13:52:50.128412148 +0200 +@@ -12,7 +12,8 @@ if test "$PHP_EMBED" != "no"; then + yes|shared) + LIBPHP_CFLAGS="-shared" + PHP_EMBED_TYPE=shared +- INSTALL_IT="\$(mkinstalldirs) \$(INSTALL_ROOT)\$(prefix)/lib; \$(INSTALL) -m 0755 $SAPI_SHARED \$(INSTALL_ROOT)\$(prefix)/lib" ++ EXTRA_LDFLAGS="$EXTRA_LDFLAGS -release \$(PHP_MAJOR_VERSION).\$(PHP_MINOR_VERSION)" ++ INSTALL_IT="\$(mkinstalldirs) \$(INSTALL_ROOT)\$(libdir); \$(LIBTOOL) --mode=install \$(INSTALL) -m 0755 \$(OVERALL_TARGET) \$(INSTALL_ROOT)\$(libdir)" + ;; + static) + LIBPHP_CFLAGS="-static" +diff -up ./scripts/php-config.in.embed ./scripts/php-config.in +--- ./scripts/php-config.in.embed 2020-07-07 12:54:42.000000000 +0200 ++++ ./scripts/php-config.in 2020-07-07 13:51:05.880764968 +0200 +@@ -18,7 +18,7 @@ exe_extension="@EXEEXT@" + php_cli_binary=NONE + php_cgi_binary=NONE + configure_options="@CONFIGURE_OPTIONS@" +-php_sapis="@PHP_INSTALLED_SAPIS@" ++php_sapis="apache2handler litespeed fpm phpdbg @PHP_INSTALLED_SAPIS@" + ini_dir="@EXPANDED_PHP_CONFIG_FILE_SCAN_DIR@" + ini_path="@EXPANDED_PHP_CONFIG_FILE_PATH@" + diff --git a/php-8.0.0-phpinfo.patch b/php-8.0.0-phpinfo.patch new file mode 100644 index 0000000..391d996 --- /dev/null +++ b/php-8.0.0-phpinfo.patch @@ -0,0 +1,118 @@ + +Drop "Configure Command" from phpinfo as it doesn't +provide any useful information. +The available extensions are not related to this command. + +Replace full GCC name by gcc in php -v output + + +Also apply + +From 9bf43c45908433d382f0499d529849172d0d8206 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Mon, 28 Dec 2020 08:33:09 +0100 +Subject: [PATCH] rename COMPILER and ARCHITECTURE macro (too generic) + +--- + configure.ac | 4 ++-- + ext/standard/info.c | 8 ++++---- + sapi/cli/php_cli.c | 8 ++++---- + win32/build/confutils.js | 10 +++++----- + 4 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 9d9c8b155b07..143dc061346b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1289,10 +1289,10 @@ if test -n "${PHP_BUILD_PROVIDER}"; then + AC_DEFINE_UNQUOTED(PHP_BUILD_PROVIDER,"$PHP_BUILD_PROVIDER",[build provider]) + fi + if test -n "${PHP_BUILD_COMPILER}"; then +- AC_DEFINE_UNQUOTED(COMPILER,"$PHP_BUILD_COMPILER",[used compiler for build]) ++ AC_DEFINE_UNQUOTED(PHP_BUILD_COMPILER,"$PHP_BUILD_COMPILER",[used compiler for build]) + fi + if test -n "${PHP_BUILD_ARCH}"; then +- AC_DEFINE_UNQUOTED(ARCHITECTURE,"$PHP_BUILD_ARCH",[build architecture]) ++ AC_DEFINE_UNQUOTED(PHP_BUILD_ARCH,"$PHP_BUILD_ARCH",[build architecture]) + fi + + PHP_SUBST_OLD(PHP_INSTALLED_SAPIS) +diff --git a/ext/standard/info.c b/ext/standard/info.c +index 153cb6cde014..8ceef31d9fe4 100644 +--- a/ext/standard/info.c ++++ b/ext/standard/info.c +@@ -798,11 +798,11 @@ PHPAPI ZEND_COLD void php_print_info(int flag) + #ifdef PHP_BUILD_PROVIDER + php_info_print_table_row(2, "Build Provider", PHP_BUILD_PROVIDER); + #endif +-#ifdef COMPILER +- php_info_print_table_row(2, "Compiler", COMPILER); ++#ifdef PHP_BUILD_COMPILER ++ php_info_print_table_row(2, "Compiler", PHP_BUILD_COMPILER); + #endif +-#ifdef ARCHITECTURE +- php_info_print_table_row(2, "Architecture", ARCHITECTURE); ++#ifdef PHP_BUILD_ARCH ++ php_info_print_table_row(2, "Architecture", PHP_BUILD_ARCH); + #endif + #ifdef CONFIGURE_COMMAND + php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND ); +diff --git a/sapi/cli/php_cli.c b/sapi/cli/php_cli.c +index 5092fb0ffd68..9d296acec631 100644 +--- a/sapi/cli/php_cli.c ++++ b/sapi/cli/php_cli.c +@@ -640,12 +640,12 @@ static int do_cli(int argc, char **argv) /* {{{ */ + #else + "NTS " + #endif +-#ifdef COMPILER +- COMPILER ++#ifdef PHP_BUILD_COMPILER ++ PHP_BUILD_COMPILER + " " + #endif +-#ifdef ARCHITECTURE +- ARCHITECTURE ++#ifdef PHP_BUILD_ARCH ++ PHP_BUILD_ARCH + " " + #endif + #if ZEND_DEBUG + +diff -up ./ext/standard/info.c.phpinfo ./ext/standard/info.c +--- ./ext/standard/info.c.phpinfo 2020-07-21 10:49:31.000000000 +0200 ++++ ./ext/standard/info.c 2020-07-21 11:41:56.295633523 +0200 +@@ -804,9 +804,6 @@ PHPAPI ZEND_COLD void php_print_info(int + #ifdef PHP_BUILD_ARCH + php_info_print_table_row(2, "Architecture", PHP_BUILD_ARCH); + #endif +-#ifdef CONFIGURE_COMMAND +- php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND ); +-#endif + + if (sapi_module.pretty_name) { + php_info_print_table_row(2, "Server API", sapi_module.pretty_name ); +diff -up ./ext/standard/tests/general_functions/phpinfo.phpt.phpinfo ./ext/standard/tests/general_functions/phpinfo.phpt +--- ./ext/standard/tests/general_functions/phpinfo.phpt.phpinfo 2020-07-21 10:49:31.000000000 +0200 ++++ ./ext/standard/tests/general_functions/phpinfo.phpt 2020-07-21 11:41:56.296633522 +0200 +@@ -17,7 +17,6 @@ PHP Version => %s + + System => %s + Build Date => %s%a +-Configure Command => %s + Server API => Command Line Interface + Virtual Directory Support => %s + Configuration File (php.ini) Path => %s +diff -up ./sapi/cli/php_cli.c.phpinfo ./sapi/cli/php_cli.c +--- ./sapi/cli/php_cli.c.phpinfo 2020-07-21 11:43:38.812475300 +0200 ++++ ./sapi/cli/php_cli.c 2020-07-21 11:43:45.783464540 +0200 +@@ -641,8 +641,7 @@ static int do_cli(int argc, char **argv) + "NTS " + #endif + #ifdef PHP_BUILD_COMPILER +- PHP_BUILD_COMPILER +- " " ++ "gcc " + #endif + #ifdef PHP_BUILD_ARCH + PHP_BUILD_ARCH diff --git a/php-8.0.10-openssl3.patch b/php-8.0.10-openssl3.patch new file mode 100644 index 0000000..6070150 --- /dev/null +++ b/php-8.0.10-openssl3.patch @@ -0,0 +1,4761 @@ +From 3d13d14f318267b27f99025b37a2061c835e0727 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Sun, 8 Aug 2021 17:38:30 +0200 +Subject: [PATCH 01/39] minimal fix for openssl 3.0 (#7002) + +(cherry picked from commit a0972deb0f441fc7991001cb51efc994b70a3b51) +--- + ext/openssl/openssl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 19e7a0d79e..015cd89aa6 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -1221,7 +1221,9 @@ PHP_MINIT_FUNCTION(openssl) + REGISTER_LONG_CONSTANT("OPENSSL_CMS_NOSIGS", CMS_NOSIGS, CONST_CS|CONST_PERSISTENT); + + REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_PADDING", RSA_PKCS1_PADDING, CONST_CS|CONST_PERSISTENT); ++#ifdef RSA_SSLV23_PADDING + REGISTER_LONG_CONSTANT("OPENSSL_SSLV23_PADDING", RSA_SSLV23_PADDING, CONST_CS|CONST_PERSISTENT); ++#endif + REGISTER_LONG_CONSTANT("OPENSSL_NO_PADDING", RSA_NO_PADDING, CONST_CS|CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING, CONST_CS|CONST_PERSISTENT); + +-- +2.31.1 + +From fc0dbc36e4563a5146aa5345e8520f6601ec7030 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Wed, 4 Aug 2021 09:41:39 +0200 +Subject: [PATCH 02/39] Optimize openssl memory leak test + +Just do one call and check whether memory usage changes. Looping +this 100000 times is extremely slow with debug builds of openssl. + +(cherry picked from commit 6249172ae37f958f0a3ef92cb55d5bf7affa8214) +--- + ext/openssl/tests/bug79145.phpt | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/ext/openssl/tests/bug79145.phpt b/ext/openssl/tests/bug79145.phpt +index 4f3dc9e766..c9c7df2953 100644 +--- a/ext/openssl/tests/bug79145.phpt ++++ b/ext/openssl/tests/bug79145.phpt +@@ -3,7 +3,6 @@ Bug #79145 (openssl memory leak) + --SKIPIF-- + <?php + if (!extension_loaded('openssl')) die('skip openssl extension not available'); +-if (getenv('SKIP_SLOW_TESTS')) die('skip slow test'); + ?> + --FILE-- + <?php +@@ -14,13 +13,14 @@ j85Q5OliVxOdB1LoTOsOmfFf/fdvpU3DsOWsDKlVrL41MHxXorwrwOiys/r/gv2d + C9C4JmhTOjBVAK8SewIDAQAC + -----END PUBLIC KEY-----'; + ++$a = openssl_get_publickey($b); ++@openssl_free_key($a); ++ + $start = memory_get_usage(true); +-for ($i = 0; $i < 100000; $i++) { +- $a = openssl_get_publickey($b); +- @openssl_free_key($a); +-} ++$a = openssl_get_publickey($b); ++@openssl_free_key($a); + $end = memory_get_usage(true); +-var_dump($end <= 1.1 * $start); ++var_dump($end == $start); + ?> + --EXPECT-- + bool(true) +-- +2.31.1 + +From da4fbfb99a6dfc9dbaaa04a4bc8068a7e9bfa46c Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Wed, 4 Aug 2021 09:46:07 +0200 +Subject: [PATCH 03/39] Reduce security level in some OpenSSL tests + +This allows tests using older protocols and algorithms to work +under OpenSSL 3. + +Also account for minor changes in error reporting. + +(cherry picked from commit 3ea57cf83834e07aae6953201015e39b4a2ac6dd) +--- + ext/openssl/tests/session_meta_capture.phpt | 4 ++-- + ext/openssl/tests/stream_crypto_flags_001.phpt | 4 ++-- + ext/openssl/tests/stream_crypto_flags_002.phpt | 4 ++-- + ext/openssl/tests/stream_crypto_flags_003.phpt | 4 ++-- + ext/openssl/tests/stream_crypto_flags_004.phpt | 4 ++-- + ext/openssl/tests/stream_security_level.phpt | 4 ++-- + ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt | 4 ++-- + ext/openssl/tests/tls_wrapper.phpt | 4 ++-- + ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt | 4 ++-- + ext/openssl/tests/tlsv1.0_wrapper.phpt | 4 ++-- + ext/openssl/tests/tlsv1.1_wrapper.phpt | 4 ++-- + 11 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/ext/openssl/tests/session_meta_capture.phpt b/ext/openssl/tests/session_meta_capture.phpt +index 58b48e9c59..8a0f403a15 100644 +--- a/ext/openssl/tests/session_meta_capture.phpt ++++ b/ext/openssl/tests/session_meta_capture.phpt +@@ -15,7 +15,7 @@ $serverCode = <<<'CODE' + $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; + $serverCtx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); +@@ -36,7 +36,7 @@ $clientCode = <<<'CODE' + 'verify_peer' => true, + 'cafile' => '%s', + 'peer_name' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/stream_crypto_flags_001.phpt b/ext/openssl/tests/stream_crypto_flags_001.phpt +index acd97110ff..a86e0f8a6c 100644 +--- a/ext/openssl/tests/stream_crypto_flags_001.phpt ++++ b/ext/openssl/tests/stream_crypto_flags_001.phpt +@@ -15,7 +15,7 @@ $serverCode = <<<'CODE' + $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; + $serverCtx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); +@@ -35,7 +35,7 @@ $clientCode = <<<'CODE' + 'verify_peer' => true, + 'cafile' => '%s', + 'peer_name' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/stream_crypto_flags_002.phpt b/ext/openssl/tests/stream_crypto_flags_002.phpt +index 15b1ec2cfc..2870bdc814 100644 +--- a/ext/openssl/tests/stream_crypto_flags_002.phpt ++++ b/ext/openssl/tests/stream_crypto_flags_002.phpt +@@ -15,7 +15,7 @@ $serverCode = <<<'CODE' + $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; + $serverCtx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); +@@ -36,7 +36,7 @@ $clientCode = <<<'CODE' + 'verify_peer' => true, + 'cafile' => '%s', + 'peer_name' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/stream_crypto_flags_003.phpt b/ext/openssl/tests/stream_crypto_flags_003.phpt +index 35f83f22dd..da1f1ae228 100644 +--- a/ext/openssl/tests/stream_crypto_flags_003.phpt ++++ b/ext/openssl/tests/stream_crypto_flags_003.phpt +@@ -19,7 +19,7 @@ $serverCode = <<<'CODE' + + // Only accept TLSv1.0 and TLSv1.2 connections + 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_0_SERVER | STREAM_CRYPTO_METHOD_TLSv1_2_SERVER, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); +@@ -40,7 +40,7 @@ $clientCode = <<<'CODE' + 'verify_peer' => true, + 'cafile' => '%s', + 'peer_name' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/stream_crypto_flags_004.phpt b/ext/openssl/tests/stream_crypto_flags_004.phpt +index d9bfcfea3f..b7626b8ea7 100644 +--- a/ext/openssl/tests/stream_crypto_flags_004.phpt ++++ b/ext/openssl/tests/stream_crypto_flags_004.phpt +@@ -16,7 +16,7 @@ $serverCode = <<<'CODE' + $serverCtx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', + 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_0_SERVER, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); +@@ -37,7 +37,7 @@ $clientCode = <<<'CODE' + 'verify_peer' => true, + 'cafile' => '%s', + 'peer_name' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/stream_security_level.phpt b/ext/openssl/tests/stream_security_level.phpt +index 44ba4c6d57..b8a8796de3 100644 +--- a/ext/openssl/tests/stream_security_level.phpt ++++ b/ext/openssl/tests/stream_security_level.phpt +@@ -24,7 +24,7 @@ $serverCode = <<<'CODE' + 'local_cert' => '%s', + // Make sure the server side starts up successfully if the default security level is + // higher. We want to test the error at the client side. +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); +@@ -66,7 +66,7 @@ ServerClientTestCase::getInstance()->run($clientCode, $serverCode); + ?> + --EXPECTF-- + Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: +-error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in %s : eval()'d code on line %d ++error:%s:SSL routines:%S:certificate verify failed in %s : eval()'d code on line %d + + Warning: stream_socket_client(): Failed to enable crypto in %s : eval()'d code on line %d + +diff --git a/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt b/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt +index ac31192da4..73dd812291 100644 +--- a/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt ++++ b/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt +@@ -15,7 +15,7 @@ $serverCode = <<<'CODE' + 'local_cert' => '%s', + 'min_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_0, + 'max_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_1, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); +@@ -32,7 +32,7 @@ $clientCode = <<<'CODE' + $ctx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/tls_wrapper.phpt b/ext/openssl/tests/tls_wrapper.phpt +index d79e978c10..3488f6f7f0 100644 +--- a/ext/openssl/tests/tls_wrapper.phpt ++++ b/ext/openssl/tests/tls_wrapper.phpt +@@ -14,7 +14,7 @@ $serverCode = <<<'CODE' + $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; + $ctx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); +@@ -31,7 +31,7 @@ $clientCode = <<<'CODE' + $ctx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt b/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt +index b419179b3f..c8a0245601 100644 +--- a/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt ++++ b/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt +@@ -14,7 +14,7 @@ $serverCode = <<<'CODE' + $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; + $ctx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); +@@ -31,7 +31,7 @@ $clientCode = <<<'CODE' + $ctx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/tlsv1.0_wrapper.phpt b/ext/openssl/tests/tlsv1.0_wrapper.phpt +index adbe7b6308..fc802662ac 100644 +--- a/ext/openssl/tests/tlsv1.0_wrapper.phpt ++++ b/ext/openssl/tests/tlsv1.0_wrapper.phpt +@@ -13,7 +13,7 @@ $serverCode = <<<'CODE' + $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; + $ctx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server('tlsv1.0://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); +@@ -30,7 +30,7 @@ $clientCode = <<<'CODE' + $ctx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/tlsv1.1_wrapper.phpt b/ext/openssl/tests/tlsv1.1_wrapper.phpt +index c1aaa04919..84a137b5f4 100644 +--- a/ext/openssl/tests/tlsv1.1_wrapper.phpt ++++ b/ext/openssl/tests/tlsv1.1_wrapper.phpt +@@ -13,7 +13,7 @@ $serverCode = <<<'CODE' + $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; + $ctx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server('tlsv1.1://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); +@@ -30,7 +30,7 @@ $clientCode = <<<'CODE' + $ctx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +-- +2.31.1 + +From fe770720985c5f31a79528528be0aa8e0e56a389 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Wed, 4 Aug 2021 09:57:40 +0200 +Subject: [PATCH 04/39] Adjust some tests for whitespace differences in OpenSSL + 3 + +A trailing newline is no longer present in OpenSSL 3. + +(cherry picked from commit 0a530d7650c6f9cb7c1b55755c8bf5961052039c) +--- + ext/openssl/tests/bug28382.phpt | 17 +++++++---------- + ext/openssl/tests/cve2013_4073.phpt | 5 ++--- + ext/openssl/tests/openssl_x509_parse_basic.phpt | 10 ++++------ + 3 files changed, 13 insertions(+), 19 deletions(-) + +diff --git a/ext/openssl/tests/bug28382.phpt b/ext/openssl/tests/bug28382.phpt +index 3d8cb528ba..00765ba838 100644 +--- a/ext/openssl/tests/bug28382.phpt ++++ b/ext/openssl/tests/bug28382.phpt +@@ -9,11 +9,10 @@ if (!extension_loaded("openssl")) die("skip"); + $cert = file_get_contents(__DIR__ . "/bug28382cert.txt"); + $ext = openssl_x509_parse($cert); + var_dump($ext['extensions']); +-/* openssl 1.0 prepends the string "Full Name:" to the crlDistributionPoints array key. +- For now, as this is the one difference only between 0.9.x and 1.x, it's handled with +- placeholders to not to duplicate the test. When more diffs come, a duplication would +- be probably a better solution. +-*/ ++/* ++ * The reason for %A at the end of crlDistributionPoints and authorityKeyIdentifier is that ++ * OpenSSL 3.0 removes new lines which were present in previous versions. ++ */ + ?> + --EXPECTF-- + array(11) { +@@ -24,8 +23,7 @@ array(11) { + ["nsCertType"]=> + string(30) "SSL Client, SSL Server, S/MIME" + ["crlDistributionPoints"]=> +- string(%d) "%AURI:http://mobile.blue-software.ro:90/ca/crl.shtml +-" ++ string(%d) "%AURI:http://mobile.blue-software.ro:90/ca/crl.shtml%A" + ["nsCaPolicyUrl"]=> + string(38) "http://mobile.blue-software.ro:90/pub/" + ["subjectAltName"]=> +@@ -33,9 +31,8 @@ array(11) { + ["subjectKeyIdentifier"]=> + string(59) "B0:A7:FF:F9:41:15:DE:23:39:BD:DD:31:0F:97:A0:B2:A2:74:E0:FC" + ["authorityKeyIdentifier"]=> +- string(115) "DirName:/C=RO/ST=Romania/L=Craiova/O=Sergiu/OU=Sergiu SRL/CN=Sergiu CA/emailAddress=n_sergiu@hotmail.com +-serial:00 +-" ++ string(%d) "DirName:/C=RO/ST=Romania/L=Craiova/O=Sergiu/OU=Sergiu SRL/CN=Sergiu CA/emailAddress=n_sergiu@hotmail.com ++serial:00%A" + ["keyUsage"]=> + string(71) "Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment" + ["nsBaseUrl"]=> +diff --git a/ext/openssl/tests/cve2013_4073.phpt b/ext/openssl/tests/cve2013_4073.phpt +index c88021b0ae..5cd05ab040 100644 +--- a/ext/openssl/tests/cve2013_4073.phpt ++++ b/ext/openssl/tests/cve2013_4073.phpt +@@ -9,11 +9,10 @@ $info = openssl_x509_parse($cert); + var_export($info['extensions']); + + ?> +---EXPECT-- ++--EXPECTF-- + array ( + 'basicConstraints' => 'CA:FALSE', + 'subjectKeyIdentifier' => '88:5A:55:C0:52:FF:61:CD:52:A3:35:0F:EA:5A:9C:24:38:22:F7:5C', + 'keyUsage' => 'Digital Signature, Non Repudiation, Key Encipherment', +- 'subjectAltName' => 'DNS:altnull.python.org' . "\0" . 'example.com, email:null@python.org' . "\0" . 'user@example.org, URI:http://null.python.org' . "\0" . 'http://example.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1 +-', ++ 'subjectAltName' => 'DNS:altnull.python.org' . "\0" . 'example.com, email:null@python.org' . "\0" . 'user@example.org, URI:http://null.python.org' . "\0" . 'http://example.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1%A', + ) +diff --git a/ext/openssl/tests/openssl_x509_parse_basic.phpt b/ext/openssl/tests/openssl_x509_parse_basic.phpt +index b80c1f71f1..38915157f3 100644 +--- a/ext/openssl/tests/openssl_x509_parse_basic.phpt ++++ b/ext/openssl/tests/openssl_x509_parse_basic.phpt +@@ -153,10 +153,9 @@ array(16) { + ["subjectKeyIdentifier"]=> + string(59) "DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D" + ["authorityKeyIdentifier"]=> +- string(202) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D ++ string(%d) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D + DirName:/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N. Angelo/emailAddress=hnangelo@php.net +-serial:AE:C5:56:CC:72:37:50:A2 +-" ++serial:AE:C5:56:CC:72:37:50:A2%A" + ["basicConstraints"]=> + string(7) "CA:TRUE" + } +@@ -301,10 +300,9 @@ array(16) { + ["subjectKeyIdentifier"]=> + string(59) "DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D" + ["authorityKeyIdentifier"]=> +- string(202) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D ++ string(%d) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D + DirName:/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N. Angelo/emailAddress=hnangelo@php.net +-serial:AE:C5:56:CC:72:37:50:A2 +-" ++serial:AE:C5:56:CC:72:37:50:A2%A" + ["basicConstraints"]=> + string(7) "CA:TRUE" + } +-- +2.31.1 + +From 676a47080bed2730b892e4ea43b93deb4acea335 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Wed, 4 Aug 2021 11:55:47 +0200 +Subject: [PATCH 05/39] Use different cipher in openssl_seal() test + +RC4 is insecure and not supported in newer versions. + +(cherry picked from commit 046b36bcf8c062375c9f5e2a763d6144c2a484b4) +--- + ext/openssl/tests/openssl_seal_basic.phpt | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/openssl/tests/openssl_seal_basic.phpt b/ext/openssl/tests/openssl_seal_basic.phpt +index 16efb05a66..e23045c992 100644 +--- a/ext/openssl/tests/openssl_seal_basic.phpt ++++ b/ext/openssl/tests/openssl_seal_basic.phpt +@@ -9,7 +9,7 @@ $a = 1; + $b = array(1); + $c = array(1); + $d = array(1); +-$method = "RC4"; ++$method = "AES-128-ECB"; + + var_dump(openssl_seal($a, $b, $c, $d, $method)); + +@@ -41,8 +41,8 @@ var_dump(openssl_seal($data, $sealed, $ekeys, array($wrong), $method)); + Warning: openssl_seal(): Not a public key (1th member of pubkeys) in %s on line %d + bool(false) + openssl_seal(): Argument #4 ($public_key) cannot be empty +-int(19) +-int(19) ++int(32) ++int(32) + + Warning: openssl_seal(): Not a public key (2th member of pubkeys) in %s on line %d + bool(false) +-- +2.31.1 + +From 389b4605281975d4ecac92cb3751d18d2e3fd60a Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Wed, 4 Aug 2021 11:58:46 +0200 +Subject: [PATCH 06/39] Don't test legacy algorithms in SPKI tests + +MD4 and RMD160 may not be available on newer OpenSSL versions. + +(cherry picked from commit 9695936341c49ea0efec5bdf24acbcdf59e2a7f8) +--- + ext/openssl/tests/openssl_spki_export_basic.phpt | 4 ---- + .../tests/openssl_spki_export_challenge_basic.phpt | 14 -------------- + ext/openssl/tests/openssl_spki_new_basic.phpt | 8 -------- + ext/openssl/tests/openssl_spki_verify_basic.phpt | 7 ------- + 4 files changed, 33 deletions(-) + +diff --git a/ext/openssl/tests/openssl_spki_export_basic.phpt b/ext/openssl/tests/openssl_spki_export_basic.phpt +index 4085d2d5d8..c03954390b 100644 +--- a/ext/openssl/tests/openssl_spki_export_basic.phpt ++++ b/ext/openssl/tests/openssl_spki_export_basic.phpt +@@ -19,14 +19,12 @@ foreach ($key_sizes as $key_size) { + + /* array of available hashings to test */ + $algo = array( +- OPENSSL_ALGO_MD4, + OPENSSL_ALGO_MD5, + OPENSSL_ALGO_SHA1, + OPENSSL_ALGO_SHA224, + OPENSSL_ALGO_SHA256, + OPENSSL_ALGO_SHA384, + OPENSSL_ALGO_SHA512, +- OPENSSL_ALGO_RMD160 + ); + + /* loop over key sizes for test */ +@@ -56,5 +54,3 @@ function _uuid() { + \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- + \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- + \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- +-\-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- +-\-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- +diff --git a/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt b/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt +index f44e60ec62..06308bf10c 100644 +--- a/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt ++++ b/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt +@@ -21,14 +21,12 @@ foreach ($key_sizes as $key_size) { + + /* array of available hashings to test */ + $algo = array( +- OPENSSL_ALGO_MD4, + OPENSSL_ALGO_MD5, + OPENSSL_ALGO_SHA1, + OPENSSL_ALGO_SHA224, + OPENSSL_ALGO_SHA256, + OPENSSL_ALGO_SHA384, + OPENSSL_ALGO_SHA512, +- OPENSSL_ALGO_RMD160 + ); + + /* loop over key sizes for test */ +@@ -89,15 +87,3 @@ string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" + bool\(false\) + string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" + bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +diff --git a/ext/openssl/tests/openssl_spki_new_basic.phpt b/ext/openssl/tests/openssl_spki_new_basic.phpt +index cb54747fe0..8378bd1ac6 100644 +--- a/ext/openssl/tests/openssl_spki_new_basic.phpt ++++ b/ext/openssl/tests/openssl_spki_new_basic.phpt +@@ -18,14 +18,12 @@ foreach ($key_sizes as $key_size) { + + /* array of available hashings to test */ + $algo = array( +- OPENSSL_ALGO_MD4, + OPENSSL_ALGO_MD5, + OPENSSL_ALGO_SHA1, + OPENSSL_ALGO_SHA224, + OPENSSL_ALGO_SHA256, + OPENSSL_ALGO_SHA384, + OPENSSL_ALGO_SHA512, +- OPENSSL_ALGO_RMD160 + ); + + /* loop over key sizes for test */ +@@ -53,21 +51,15 @@ string(478) "%s" + string(478) "%s" + string(478) "%s" + string(478) "%s" +-string(478) "%s" +-string(474) "%s" +-string(830) "%s" + string(830) "%s" + string(830) "%s" + string(830) "%s" + string(830) "%s" + string(830) "%s" + string(830) "%s" +-string(826) "%s" +-string(1510) "%s" + string(1510) "%s" + string(1510) "%s" + string(1510) "%s" + string(1510) "%s" + string(1510) "%s" + string(1510) "%s" +-string(1506) "%s" +diff --git a/ext/openssl/tests/openssl_spki_verify_basic.phpt b/ext/openssl/tests/openssl_spki_verify_basic.phpt +index c760d0cb83..35badcda37 100644 +--- a/ext/openssl/tests/openssl_spki_verify_basic.phpt ++++ b/ext/openssl/tests/openssl_spki_verify_basic.phpt +@@ -25,7 +25,6 @@ $algo = array( + OPENSSL_ALGO_SHA256, + OPENSSL_ALGO_SHA384, + OPENSSL_ALGO_SHA512, +- OPENSSL_ALGO_RMD160 + ); + + /* loop over key sizes for test */ +@@ -80,9 +79,3 @@ bool(true) + bool(false) + bool(true) + bool(false) +-bool(true) +-bool(false) +-bool(true) +-bool(false) +-bool(true) +-bool(false) +-- +2.31.1 + +From 054aeebb623e6d4a055a4bab60a864f8c7f65675 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Wed, 4 Aug 2021 12:48:02 +0200 +Subject: [PATCH 07/39] Only report provided ciphers in + openssl_get_cipher_methods() + +With OpenSSL 3 ciphers may be registered, but not provided. Make +sure that openssl_get_cipher_methods() only returns provided +ciphers, so that "in_array openssl_get_cipher_methods" style +checks continue working as expected. + +(cherry picked from commit a80ae97d3176aded77ee422772608a026380fc1a) +--- + ext/openssl/openssl.c | 34 +++++++++++++++++++++++++++++++++- + ext/openssl/php_openssl.h | 4 +++- + 2 files changed, 36 insertions(+), 2 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 015cd89aa6..4ffa2185fb 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -6798,6 +6798,31 @@ PHP_FUNCTION(openssl_get_md_methods) + } + /* }}} */ + ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++static void php_openssl_add_cipher_name(const char *name, void *arg) ++{ ++ size_t len = strlen(name); ++ zend_string *str = zend_string_alloc(len, 0); ++ zend_str_tolower_copy(ZSTR_VAL(str), name, len); ++ add_next_index_str((zval*)arg, str); ++} ++ ++static void php_openssl_add_cipher_or_alias(EVP_CIPHER *cipher, void *arg) ++{ ++ EVP_CIPHER_names_do_all(cipher, php_openssl_add_cipher_name, arg); ++} ++ ++static void php_openssl_add_cipher(EVP_CIPHER *cipher, void *arg) ++{ ++ php_openssl_add_cipher_name(EVP_CIPHER_get0_name(cipher), arg); ++} ++ ++static int php_openssl_compare_func(Bucket *a, Bucket *b) ++{ ++ return string_compare_function(&a->val, &b->val); ++} ++#endif ++ + /* {{{ Return array of available cipher algorithms */ + PHP_FUNCTION(openssl_get_cipher_methods) + { +@@ -6807,9 +6832,16 @@ PHP_FUNCTION(openssl_get_cipher_methods) + RETURN_THROWS(); + } + array_init(return_value); ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ EVP_CIPHER_do_all_provided(NULL, ++ aliases ? php_openssl_add_cipher_or_alias : php_openssl_add_cipher, ++ return_value); ++ zend_hash_sort(Z_ARRVAL_P(return_value), php_openssl_compare_func, 1); ++#else + OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, +- aliases ? php_openssl_add_method_or_alias: php_openssl_add_method, ++ aliases ? php_openssl_add_method_or_alias : php_openssl_add_method, + return_value); ++#endif + } + /* }}} */ + +diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h +index c674ead34b..16bad9e6b0 100644 +--- a/ext/openssl/php_openssl.h ++++ b/ext/openssl/php_openssl.h +@@ -39,8 +39,10 @@ extern zend_module_entry openssl_module_entry; + #define PHP_OPENSSL_API_VERSION 0x10001 + #elif OPENSSL_VERSION_NUMBER < 0x10100000L + #define PHP_OPENSSL_API_VERSION 0x10002 +-#else ++#elif OPENSSL_VERSION_NUMBER < 0x30000000L + #define PHP_OPENSSL_API_VERSION 0x10100 ++#else ++#define PHP_OPENSSL_API_VERSION 0x30000 + #endif + #endif + +-- +2.31.1 + +From 62fbe1839d980583156b0d22c49753c4666e73e8 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Wed, 4 Aug 2021 12:05:02 +0200 +Subject: [PATCH 08/39] Avoid RC4 use in another test + +(cherry picked from commit 503146aa87e48f075f47a093ed7868e323814a66) +--- + ext/openssl/tests/openssl_open_basic.phpt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/openssl/tests/openssl_open_basic.phpt b/ext/openssl/tests/openssl_open_basic.phpt +index 5e551c507f..271a878cdf 100644 +--- a/ext/openssl/tests/openssl_open_basic.phpt ++++ b/ext/openssl/tests/openssl_open_basic.phpt +@@ -8,7 +8,7 @@ $data = "openssl_open() test"; + $pub_key = "file://" . __DIR__ . "/public.key"; + $priv_key = "file://" . __DIR__ . "/private_rsa_1024.key"; + $wrong = "wrong"; +-$method = "RC4"; ++$method = "AES-128-ECB"; + + openssl_seal($data, $sealed, $ekeys, array($pub_key, $pub_key, $pub_key), $method); + openssl_open($sealed, $output, $ekeys[0], $priv_key, $method); +-- +2.31.1 + +From 95e6b2c67de6a63d059b678d14f291487f563163 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Wed, 4 Aug 2021 15:47:14 +0200 +Subject: [PATCH 09/39] Use EVP_PKEY API for + openssl_public_encrypt/private_decrypt + +Use the high level API instead of the deprecated low level API. + +(cherry picked from commit 0233afae2762a7e7be49935ebbb981783c471d13) +--- + ext/openssl/openssl.c | 117 +++++++----------- + .../tests/openssl_error_string_basic.phpt | 2 +- + 2 files changed, 45 insertions(+), 74 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 4ffa2185fb..64840da451 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -6230,11 +6230,6 @@ PHP_FUNCTION(openssl_private_encrypt) + PHP_FUNCTION(openssl_private_decrypt) + { + zval *key, *crypted; +- EVP_PKEY *pkey; +- int cryptedlen; +- zend_string *cryptedbuf = NULL; +- unsigned char *crypttemp; +- int successful = 0; + zend_long padding = RSA_PKCS1_PADDING; + char * data; + size_t data_len; +@@ -6243,11 +6238,7 @@ PHP_FUNCTION(openssl_private_decrypt) + RETURN_THROWS(); + } + +- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1); +- +- RETVAL_FALSE; +- +- pkey = php_openssl_pkey_from_zval(key, 0, "", 0); ++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 0, "", 0); + if (pkey == NULL) { + if (!EG(exception)) { + php_error_docref(NULL, E_WARNING, "key parameter is not a valid private key"); +@@ -6255,42 +6246,33 @@ PHP_FUNCTION(openssl_private_decrypt) + RETURN_FALSE; + } + +- cryptedlen = EVP_PKEY_size(pkey); +- crypttemp = emalloc(cryptedlen + 1); +- +- switch (EVP_PKEY_id(pkey)) { +- case EVP_PKEY_RSA: +- case EVP_PKEY_RSA2: +- cryptedlen = RSA_private_decrypt((int)data_len, +- (unsigned char *)data, +- crypttemp, +- EVP_PKEY_get0_RSA(pkey), +- (int)padding); +- if (cryptedlen != -1) { +- cryptedbuf = zend_string_alloc(cryptedlen, 0); +- memcpy(ZSTR_VAL(cryptedbuf), crypttemp, cryptedlen); +- successful = 1; +- } +- break; +- default: +- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!"); ++ size_t out_len = 0; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL); ++ if (!ctx || EVP_PKEY_decrypt_init(ctx) <= 0 || ++ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 || ++ EVP_PKEY_decrypt(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) { ++ php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } + +- efree(crypttemp); +- +- if (successful) { +- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0'; +- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf); +- cryptedbuf = NULL; +- RETVAL_TRUE; +- } else { ++ zend_string *out = zend_string_alloc(out_len, 0); ++ if (EVP_PKEY_decrypt(ctx, (unsigned char *) ZSTR_VAL(out), &out_len, ++ (unsigned char *) data, data_len) <= 0) { ++ zend_string_release(out); + php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } + ++ out = zend_string_truncate(out, out_len, 0); ++ ZSTR_VAL(out)[out_len] = '\0'; ++ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out); ++ RETVAL_TRUE; ++ ++cleanup: ++ EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); +- if (cryptedbuf) { +- zend_string_release_ex(cryptedbuf, 0); +- } + } + /* }}} */ + +@@ -6298,10 +6280,6 @@ PHP_FUNCTION(openssl_private_decrypt) + PHP_FUNCTION(openssl_public_encrypt) + { + zval *key, *crypted; +- EVP_PKEY *pkey; +- int cryptedlen; +- zend_string *cryptedbuf; +- int successful = 0; + zend_long padding = RSA_PKCS1_PADDING; + char * data; + size_t data_len; +@@ -6310,11 +6288,7 @@ PHP_FUNCTION(openssl_public_encrypt) + RETURN_THROWS(); + } + +- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1); +- +- RETVAL_FALSE; +- +- pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0); ++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0); + if (pkey == NULL) { + if (!EG(exception)) { + php_error_docref(NULL, E_WARNING, "key parameter is not a valid public key"); +@@ -6322,35 +6296,32 @@ PHP_FUNCTION(openssl_public_encrypt) + RETURN_FALSE; + } + +- cryptedlen = EVP_PKEY_size(pkey); +- cryptedbuf = zend_string_alloc(cryptedlen, 0); +- +- switch (EVP_PKEY_id(pkey)) { +- case EVP_PKEY_RSA: +- case EVP_PKEY_RSA2: +- successful = (RSA_public_encrypt((int)data_len, +- (unsigned char *)data, +- (unsigned char *)ZSTR_VAL(cryptedbuf), +- EVP_PKEY_get0_RSA(pkey), +- (int)padding) == cryptedlen); +- break; +- default: +- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!"); +- ++ size_t out_len = 0; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL); ++ if (!ctx || EVP_PKEY_encrypt_init(ctx) <= 0 || ++ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 || ++ EVP_PKEY_encrypt(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) { ++ php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } + +- if (successful) { +- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0'; +- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf); +- cryptedbuf = NULL; +- RETVAL_TRUE; +- } else { ++ zend_string *out = zend_string_alloc(out_len, 0); ++ if (EVP_PKEY_encrypt(ctx, (unsigned char *) ZSTR_VAL(out), &out_len, ++ (unsigned char *) data, data_len) <= 0) { ++ zend_string_release(out); + php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } ++ ++ ZSTR_VAL(out)[out_len] = '\0'; ++ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out); ++ RETVAL_TRUE; ++ ++cleanup: ++ EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); +- if (cryptedbuf) { +- zend_string_release_ex(cryptedbuf, 0); +- } + } + /* }}} */ + +diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt +index b55b7ced44..eb76dfbf77 100644 +--- a/ext/openssl/tests/openssl_error_string_basic.phpt ++++ b/ext/openssl/tests/openssl_error_string_basic.phpt +@@ -119,7 +119,7 @@ expect_openssl_errors('openssl_private_decrypt', ['04065072']); + // public encrypt and decrypt with failed padding check and padding + @openssl_public_encrypt("data", $crypted, $public_key_file, 1000); + @openssl_public_decrypt("data", $crypted, $public_key_file); +-expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '04068076', '04067072']); ++expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '0408F090', '04067072']); + + // X509 + echo "X509 errors\n"; +-- +2.31.1 + +From b29b719e4741cde6d1e441e0340f038976cb461b Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Wed, 4 Aug 2021 16:56:32 +0200 +Subject: [PATCH 10/39] Use EVP_PKEY APIs for + openssl_private_encrypt/public_decrypt + +Use high level APIs instead of deprecated low level APIs. + +(cherry picked from commit 384ad6e22412756d7a2fa7a4c35579f041784e59) +--- + ext/openssl/openssl.c | 119 +++++++----------- + .../tests/openssl_error_string_basic.phpt | 2 +- + 2 files changed, 45 insertions(+), 76 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 64840da451..4e9b949b5f 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -6170,10 +6170,6 @@ clean_exit: + PHP_FUNCTION(openssl_private_encrypt) + { + zval *key, *crypted; +- EVP_PKEY *pkey; +- int cryptedlen; +- zend_string *cryptedbuf = NULL; +- int successful = 0; + char * data; + size_t data_len; + zend_long padding = RSA_PKCS1_PADDING; +@@ -6182,12 +6178,7 @@ PHP_FUNCTION(openssl_private_encrypt) + RETURN_THROWS(); + } + +- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1); +- +- RETVAL_FALSE; +- +- pkey = php_openssl_pkey_from_zval(key, 0, "", 0); +- ++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 0, "", 0); + if (pkey == NULL) { + if (!EG(exception)) { + php_error_docref(NULL, E_WARNING, "key param is not a valid private key"); +@@ -6195,33 +6186,31 @@ PHP_FUNCTION(openssl_private_encrypt) + RETURN_FALSE; + } + +- cryptedlen = EVP_PKEY_size(pkey); +- cryptedbuf = zend_string_alloc(cryptedlen, 0); +- +- switch (EVP_PKEY_id(pkey)) { +- case EVP_PKEY_RSA: +- case EVP_PKEY_RSA2: +- successful = (RSA_private_encrypt((int)data_len, +- (unsigned char *)data, +- (unsigned char *)ZSTR_VAL(cryptedbuf), +- EVP_PKEY_get0_RSA(pkey), +- (int)padding) == cryptedlen); +- break; +- default: +- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!"); ++ size_t out_len = 0; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL); ++ if (!ctx || EVP_PKEY_sign_init(ctx) <= 0 || ++ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 || ++ EVP_PKEY_sign(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) { ++ php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } + +- if (successful) { +- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0'; +- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf); +- cryptedbuf = NULL; +- RETVAL_TRUE; +- } else { ++ zend_string *out = zend_string_alloc(out_len, 0); ++ if (EVP_PKEY_sign(ctx, (unsigned char *) ZSTR_VAL(out), &out_len, ++ (unsigned char *) data, data_len) <= 0) { ++ zend_string_release(out); + php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } +- if (cryptedbuf) { +- zend_string_release_ex(cryptedbuf, 0); +- } ++ ++ ZSTR_VAL(out)[out_len] = '\0'; ++ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out); ++ RETVAL_TRUE; ++ ++cleanup: ++ EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + } + /* }}} */ +@@ -6329,11 +6318,6 @@ cleanup: + PHP_FUNCTION(openssl_public_decrypt) + { + zval *key, *crypted; +- EVP_PKEY *pkey; +- int cryptedlen; +- zend_string *cryptedbuf = NULL; +- unsigned char *crypttemp; +- int successful = 0; + zend_long padding = RSA_PKCS1_PADDING; + char * data; + size_t data_len; +@@ -6342,11 +6326,7 @@ PHP_FUNCTION(openssl_public_decrypt) + RETURN_THROWS(); + } + +- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1); +- +- RETVAL_FALSE; +- +- pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0); ++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0); + if (pkey == NULL) { + if (!EG(exception)) { + php_error_docref(NULL, E_WARNING, "key parameter is not a valid public key"); +@@ -6354,43 +6334,32 @@ PHP_FUNCTION(openssl_public_decrypt) + RETURN_FALSE; + } + +- cryptedlen = EVP_PKEY_size(pkey); +- crypttemp = emalloc(cryptedlen + 1); +- +- switch (EVP_PKEY_id(pkey)) { +- case EVP_PKEY_RSA: +- case EVP_PKEY_RSA2: +- cryptedlen = RSA_public_decrypt((int)data_len, +- (unsigned char *)data, +- crypttemp, +- EVP_PKEY_get0_RSA(pkey), +- (int)padding); +- if (cryptedlen != -1) { +- cryptedbuf = zend_string_alloc(cryptedlen, 0); +- memcpy(ZSTR_VAL(cryptedbuf), crypttemp, cryptedlen); +- successful = 1; +- } +- break; +- +- default: +- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!"); +- ++ size_t out_len = 0; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL); ++ if (!ctx || EVP_PKEY_verify_recover_init(ctx) <= 0 || ++ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 || ++ EVP_PKEY_verify_recover(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) { ++ php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } + +- efree(crypttemp); +- +- if (successful) { +- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0'; +- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf); +- cryptedbuf = NULL; +- RETVAL_TRUE; +- } else { ++ zend_string *out = zend_string_alloc(out_len, 0); ++ if (EVP_PKEY_verify_recover(ctx, (unsigned char *) ZSTR_VAL(out), &out_len, ++ (unsigned char *) data, data_len) <= 0) { ++ zend_string_release(out); + php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } + +- if (cryptedbuf) { +- zend_string_release_ex(cryptedbuf, 0); +- } ++ out = zend_string_truncate(out, out_len, 0); ++ ZSTR_VAL(out)[out_len] = '\0'; ++ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out); ++ RETVAL_TRUE; ++ ++cleanup: ++ EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + } + /* }}} */ +diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt +index eb76dfbf77..f3eb82067b 100644 +--- a/ext/openssl/tests/openssl_error_string_basic.phpt ++++ b/ext/openssl/tests/openssl_error_string_basic.phpt +@@ -112,7 +112,7 @@ expect_openssl_errors('openssl_pkey_export', ['06065064', '0906A065']); + expect_openssl_errors('openssl_pkey_get_public', [$err_pem_no_start_line]); + // private encrypt with unknown padding + @openssl_private_encrypt("data", $crypted, $private_key_file, 1000); +-expect_openssl_errors('openssl_private_encrypt', ['04066076']); ++expect_openssl_errors('openssl_private_encrypt', ['0408F090']); + // private decrypt with failed padding check + @openssl_private_decrypt("data", $crypted, $private_key_file); + expect_openssl_errors('openssl_private_decrypt', ['04065072']); +-- +2.31.1 + +From bfdbdfb6bf128c157adfba402b89b0f82be993ab Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Thu, 5 Aug 2021 10:29:50 +0200 +Subject: [PATCH 11/39] Use EVP_PKEY APIs for key generation + +Use high level API instead of deprecated low level API. + +(cherry picked from commit 13313d9b1b9fa014fe6f92c496477e28f4f11772) +--- + ext/openssl/openssl.c | 210 +++++++++++++++----------------- + ext/openssl/tests/bug80747.phpt | 4 +- + 2 files changed, 101 insertions(+), 113 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 4e9b949b5f..d260670ff9 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3656,140 +3656,130 @@ static EVP_PKEY *php_openssl_pkey_from_zval(zval *val, int public_key, char *pas + return key; + } + ++static int php_openssl_get_evp_pkey_type(int key_type) { ++ switch (key_type) { ++ case OPENSSL_KEYTYPE_RSA: ++ return EVP_PKEY_RSA; ++#if !defined(NO_DSA) ++ case OPENSSL_KEYTYPE_DSA: ++ return EVP_PKEY_DSA; ++#endif ++#if !defined(NO_DH) ++ case OPENSSL_KEYTYPE_DH: ++ return EVP_PKEY_DH; ++#endif ++#ifdef HAVE_EVP_PKEY_EC ++ case OPENSSL_KEYTYPE_EC: ++ return EVP_PKEY_EC; ++#endif ++ default: ++ return -1; ++ } ++} ++ + /* {{{ php_openssl_generate_private_key */ + static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req) + { +- char * randfile = NULL; +- int egdsocket, seeded; +- EVP_PKEY * return_val = NULL; +- + if (req->priv_key_bits < MIN_KEY_LENGTH) { + php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d", + MIN_KEY_LENGTH, req->priv_key_bits); + return NULL; + } + +- randfile = php_openssl_conf_get_string(req->req_config, req->section_name, "RANDFILE"); ++ int type = php_openssl_get_evp_pkey_type(req->priv_key_type); ++ if (type < 0) { ++ php_error_docref(NULL, E_WARNING, "Unsupported private key type"); ++ return NULL; ++ } ++ ++ int egdsocket, seeded; ++ char *randfile = php_openssl_conf_get_string(req->req_config, req->section_name, "RANDFILE"); + php_openssl_load_rand_file(randfile, &egdsocket, &seeded); ++ PHP_OPENSSL_RAND_ADD_TIME(); + +- if ((req->priv_key = EVP_PKEY_new()) != NULL) { +- switch(req->priv_key_type) { +- case OPENSSL_KEYTYPE_RSA: +- { +- RSA* rsaparam; +-#if OPENSSL_VERSION_NUMBER < 0x10002000L +- /* OpenSSL 1.0.2 deprecates RSA_generate_key */ +- PHP_OPENSSL_RAND_ADD_TIME(); +- rsaparam = (RSA*)RSA_generate_key(req->priv_key_bits, RSA_F4, NULL, NULL); +-#else +- { +- BIGNUM *bne = (BIGNUM *)BN_new(); +- if (BN_set_word(bne, RSA_F4) != 1) { +- BN_free(bne); +- php_error_docref(NULL, E_WARNING, "Failed setting exponent"); +- return NULL; +- } +- rsaparam = RSA_new(); +- PHP_OPENSSL_RAND_ADD_TIME(); +- if (rsaparam == NULL || !RSA_generate_key_ex(rsaparam, req->priv_key_bits, bne, NULL)) { +- php_openssl_store_errors(); +- RSA_free(rsaparam); +- rsaparam = NULL; +- } +- BN_free(bne); +- } +-#endif +- if (rsaparam && EVP_PKEY_assign_RSA(req->priv_key, rsaparam)) { +- return_val = req->priv_key; +- } else { +- php_openssl_store_errors(); +- } +- } +- break; ++ EVP_PKEY *key = NULL; ++ EVP_PKEY *params = NULL; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(type, NULL); ++ if (!ctx) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ ++ if (type != EVP_PKEY_RSA) { ++ if (EVP_PKEY_paramgen_init(ctx) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ ++ switch (type) { + #if !defined(NO_DSA) +- case OPENSSL_KEYTYPE_DSA: +- PHP_OPENSSL_RAND_ADD_TIME(); +- { +- DSA *dsaparam = DSA_new(); +- if (dsaparam && DSA_generate_parameters_ex(dsaparam, req->priv_key_bits, NULL, 0, NULL, NULL, NULL)) { +- DSA_set_method(dsaparam, DSA_get_default_method()); +- if (DSA_generate_key(dsaparam)) { +- if (EVP_PKEY_assign_DSA(req->priv_key, dsaparam)) { +- return_val = req->priv_key; +- } else { +- php_openssl_store_errors(); +- } +- } else { +- php_openssl_store_errors(); +- DSA_free(dsaparam); +- } +- } else { +- php_openssl_store_errors(); +- } +- } +- break; ++ case EVP_PKEY_DSA: ++ if (EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, req->priv_key_bits) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ break; + #endif + #if !defined(NO_DH) +- case OPENSSL_KEYTYPE_DH: +- PHP_OPENSSL_RAND_ADD_TIME(); +- { +- int codes = 0; +- DH *dhparam = DH_new(); +- if (dhparam && DH_generate_parameters_ex(dhparam, req->priv_key_bits, 2, NULL)) { +- DH_set_method(dhparam, DH_get_default_method()); +- if (DH_check(dhparam, &codes) && codes == 0 && DH_generate_key(dhparam)) { +- if (EVP_PKEY_assign_DH(req->priv_key, dhparam)) { +- return_val = req->priv_key; +- } else { +- php_openssl_store_errors(); +- } +- } else { +- php_openssl_store_errors(); +- DH_free(dhparam); +- } +- } else { +- php_openssl_store_errors(); +- } +- } +- break; ++ case EVP_PKEY_DH: ++ if (EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, req->priv_key_bits) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ break; + #endif + #ifdef HAVE_EVP_PKEY_EC +- case OPENSSL_KEYTYPE_EC: +- { +- EC_KEY *eckey; +- if (req->curve_name == NID_undef) { +- php_error_docref(NULL, E_WARNING, "Missing configuration value: \"curve_name\" not set"); +- return NULL; +- } +- eckey = EC_KEY_new_by_curve_name(req->curve_name); +- if (eckey) { +- EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); +- if (EC_KEY_generate_key(eckey) && +- EVP_PKEY_assign_EC_KEY(req->priv_key, eckey)) { +- return_val = req->priv_key; +- } else { +- EC_KEY_free(eckey); +- } +- } +- } +- break; ++ case EVP_PKEY_EC: ++ if (req->curve_name == NID_undef) { ++ php_error_docref(NULL, E_WARNING, "Missing configuration value: \"curve_name\" not set"); ++ goto cleanup; ++ } ++ ++ if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, req->curve_name) <= 0 || ++ EVP_PKEY_CTX_set_ec_param_enc(ctx, OPENSSL_EC_NAMED_CURVE) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ break; + #endif +- default: +- php_error_docref(NULL, E_WARNING, "Unsupported private key type"); ++ EMPTY_SWITCH_DEFAULT_CASE() + } +- } else { ++ ++ if (EVP_PKEY_paramgen(ctx, ¶ms) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ ++ EVP_PKEY_CTX_free(ctx); ++ ctx = EVP_PKEY_CTX_new(params, NULL); ++ if (!ctx) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ } ++ ++ if (EVP_PKEY_keygen_init(ctx) <= 0) { + php_openssl_store_errors(); ++ goto cleanup; + } + +- php_openssl_write_rand_file(randfile, egdsocket, seeded); ++ if (type == EVP_PKEY_RSA && EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, req->priv_key_bits) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } + +- if (return_val == NULL) { +- EVP_PKEY_free(req->priv_key); +- req->priv_key = NULL; +- return NULL; ++ if (EVP_PKEY_keygen(ctx, &key) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; + } + +- return return_val; ++ req->priv_key = key; ++ ++cleanup: ++ php_openssl_write_rand_file(randfile, egdsocket, seeded); ++ EVP_PKEY_free(params); ++ EVP_PKEY_CTX_free(ctx); ++ return key; + } + /* }}} */ + +diff --git a/ext/openssl/tests/bug80747.phpt b/ext/openssl/tests/bug80747.phpt +index 327c916688..12ae0ff0e1 100644 +--- a/ext/openssl/tests/bug80747.phpt ++++ b/ext/openssl/tests/bug80747.phpt +@@ -14,9 +14,7 @@ $conf = array( + 'private_key_bits' => 511, + ); + var_dump(openssl_pkey_new($conf)); +-while ($e = openssl_error_string()) { +- echo $e, "\n"; +-} ++echo openssl_error_string(), "\n"; + + ?> + --EXPECTF-- +-- +2.31.1 + +From 8dfe551ef85a874df63d0bb50b2d065c3370fd7e Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Thu, 5 Aug 2021 11:50:11 +0200 +Subject: [PATCH 12/39] Relax error check + +The precise error is version-dependent, just check that there +is some kind of error reported. + +(cherry picked from commit cd8bf0b6bd23e03bdc8d069df53a2d976809a916) +--- + ext/openssl/tests/bug80747.phpt | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/openssl/tests/bug80747.phpt b/ext/openssl/tests/bug80747.phpt +index 12ae0ff0e1..3f319b4b24 100644 +--- a/ext/openssl/tests/bug80747.phpt ++++ b/ext/openssl/tests/bug80747.phpt +@@ -14,9 +14,9 @@ $conf = array( + 'private_key_bits' => 511, + ); + var_dump(openssl_pkey_new($conf)); +-echo openssl_error_string(), "\n"; ++var_dump(openssl_error_string() !== false); + + ?> +---EXPECTF-- ++--EXPECT-- + bool(false) +-error:%s:key size too small ++bool(true) +-- +2.31.1 + +From 44859f59f3ff3d7cf24ae146e9b0da348e6befcd Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Thu, 5 Aug 2021 12:59:13 +0200 +Subject: [PATCH 13/39] Store whether pkey object contains private key + +Rather than querying whether the EVP_PKEY contains private key +information, determine this at time of construction and store it +in the PHP object. + +OpenSSL doesn't provide an API for this purpose, and seems +somewhat reluctant to add one, see +https://github.com/openssl/openssl/issues/9467. + +To avoid using deprecated low-level APIs to determine whether +something is a private key ourselves, remember it at the point +of construction. + +(cherry picked from commit f878bbd96b34ac11fed66c895891570ef10b0dcb) +--- + ext/openssl/openssl.c | 155 +++++++++--------------------------------- + 1 file changed, 31 insertions(+), 124 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index d260670ff9..1fca64df15 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -201,6 +201,7 @@ static void php_openssl_request_free_obj(zend_object *object) + + typedef struct _php_openssl_pkey_object { + EVP_PKEY *pkey; ++ bool is_private; + zend_object std; + } php_openssl_pkey_object; + +@@ -224,6 +225,13 @@ static zend_object *php_openssl_pkey_create_object(zend_class_entry *class_type) + return &intern->std; + } + ++static void php_openssl_pkey_object_init(zval *zv, EVP_PKEY *pkey, bool is_private) { ++ object_init_ex(zv, php_openssl_pkey_ce); ++ php_openssl_pkey_object *obj = Z_OPENSSL_PKEY_P(zv); ++ obj->pkey = pkey; ++ obj->is_private = is_private; ++} ++ + static zend_function *php_openssl_pkey_get_constructor(zend_object *object) { + zend_throw_error(NULL, "Cannot directly construct OpenSSLAsymmetricKey, use openssl_pkey_new() instead"); + return NULL; +@@ -517,7 +525,6 @@ static X509 *php_openssl_x509_from_zval(zval *val, bool *free_cert); + static X509_REQ *php_openssl_csr_from_param(zend_object *csr_obj, zend_string *csr_str); + static EVP_PKEY *php_openssl_pkey_from_zval(zval *val, int public_key, char *passphrase, size_t passphrase_len); + +-static int php_openssl_is_private_key(EVP_PKEY* pkey); + static X509_STORE * php_openssl_setup_verify(zval * calist); + static STACK_OF(X509) * php_openssl_load_all_certs_from_file(char *certfile); + static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req); +@@ -3362,11 +3369,8 @@ PHP_FUNCTION(openssl_csr_new) + if (we_made_the_key) { + /* and an object for the private key */ + zval zkey_object; +- php_openssl_pkey_object *key_object; +- object_init_ex(&zkey_object, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(&zkey_object); +- key_object->pkey = req.priv_key; +- ++ php_openssl_pkey_object_init( ++ &zkey_object, req.priv_key, /* is_private */ true); + ZEND_TRY_ASSIGN_REF_TMP(out_pkey, &zkey_object); + req.priv_key = NULL; /* make sure the cleanup code doesn't zap it! */ + } +@@ -3424,7 +3428,6 @@ PHP_FUNCTION(openssl_csr_get_public_key) + zend_string *csr_str; + zend_bool use_shortnames = 1; + +- php_openssl_pkey_object *key_object; + EVP_PKEY *tpubkey; + + ZEND_PARSE_PARAMETERS_START(1, 2) +@@ -3467,9 +3470,7 @@ PHP_FUNCTION(openssl_csr_get_public_key) + RETURN_FALSE; + } + +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = tpubkey; ++ php_openssl_pkey_object_init(return_value, tpubkey, /* is_private */ false); + } + /* }}} */ + +@@ -3545,10 +3546,9 @@ static EVP_PKEY *php_openssl_pkey_from_zval(zval *val, int public_key, char *pas + } + + if (Z_TYPE_P(val) == IS_OBJECT && Z_OBJCE_P(val) == php_openssl_pkey_ce) { +- int is_priv; +- +- key = php_openssl_pkey_from_obj(Z_OBJ_P(val))->pkey; +- is_priv = php_openssl_is_private_key(key); ++ php_openssl_pkey_object *obj = php_openssl_pkey_from_obj(Z_OBJ_P(val)); ++ key = obj->pkey; ++ bool is_priv = obj->is_private; + + /* check whether it is actually a private key if requested */ + if (!public_key && !is_priv) { +@@ -3783,85 +3783,6 @@ cleanup: + } + /* }}} */ + +-/* {{{ php_openssl_is_private_key +- Check whether the supplied key is a private key by checking if the secret prime factors are set */ +-static int php_openssl_is_private_key(EVP_PKEY* pkey) +-{ +- assert(pkey != NULL); +- +- switch (EVP_PKEY_id(pkey)) { +- case EVP_PKEY_RSA: +- case EVP_PKEY_RSA2: +- { +- RSA *rsa = EVP_PKEY_get0_RSA(pkey); +- if (rsa != NULL) { +- const BIGNUM *p, *q; +- +- RSA_get0_factors(rsa, &p, &q); +- if (p == NULL || q == NULL) { +- return 0; +- } +- } +- } +- break; +- case EVP_PKEY_DSA: +- case EVP_PKEY_DSA1: +- case EVP_PKEY_DSA2: +- case EVP_PKEY_DSA3: +- case EVP_PKEY_DSA4: +- { +- DSA *dsa = EVP_PKEY_get0_DSA(pkey); +- if (dsa != NULL) { +- const BIGNUM *p, *q, *g, *pub_key, *priv_key; +- +- DSA_get0_pqg(dsa, &p, &q, &g); +- if (p == NULL || q == NULL) { +- return 0; +- } +- +- DSA_get0_key(dsa, &pub_key, &priv_key); +- if (priv_key == NULL) { +- return 0; +- } +- } +- } +- break; +- case EVP_PKEY_DH: +- { +- DH *dh = EVP_PKEY_get0_DH(pkey); +- if (dh != NULL) { +- const BIGNUM *p, *q, *g, *pub_key, *priv_key; +- +- DH_get0_pqg(dh, &p, &q, &g); +- if (p == NULL) { +- return 0; +- } +- +- DH_get0_key(dh, &pub_key, &priv_key); +- if (priv_key == NULL) { +- return 0; +- } +- } +- } +- break; +-#ifdef HAVE_EVP_PKEY_EC +- case EVP_PKEY_EC: +- { +- EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); +- if (ec != NULL && NULL == EC_KEY_get0_private_key(ec)) { +- return 0; +- } +- } +- break; +-#endif +- default: +- php_error_docref(NULL, E_WARNING, "Key type not supported in this PHP build!"); +- break; +- } +- return 1; +-} +-/* }}} */ +- + #define OPENSSL_GET_BN(_array, _bn, _name) do { \ + if (_bn != NULL) { \ + int len = BN_num_bytes(_bn); \ +@@ -3920,7 +3841,7 @@ static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, + } + + /* {{{ php_openssl_pkey_init_dsa */ +-static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data) ++static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data, bool *is_private) + { + BIGNUM *p, *q, *g, *priv_key, *pub_key; + const BIGNUM *priv_key_const, *pub_key_const; +@@ -3934,6 +3855,7 @@ static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data) + + OPENSSL_PKEY_SET_BN(data, pub_key); + OPENSSL_PKEY_SET_BN(data, priv_key); ++ *is_private = priv_key != NULL; + if (pub_key) { + return DSA_set0_key(dsa, pub_key, priv_key); + } +@@ -3998,7 +3920,7 @@ static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM + /* }}} */ + + /* {{{ php_openssl_pkey_init_dh */ +-static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data) ++static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data, bool *is_private) + { + BIGNUM *p, *q, *g, *priv_key, *pub_key; + +@@ -4011,6 +3933,7 @@ static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data) + + OPENSSL_PKEY_SET_BN(data, priv_key); + OPENSSL_PKEY_SET_BN(data, pub_key); ++ *is_private = priv_key != NULL; + if (pub_key) { + return DH_set0_key(dh, pub_key, priv_key); + } +@@ -4039,7 +3962,6 @@ PHP_FUNCTION(openssl_pkey_new) + struct php_x509_request req; + zval * args = NULL; + zval *data; +- php_openssl_pkey_object *key_object; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "|a!", &args) == FAILURE) { + RETURN_THROWS(); +@@ -4056,9 +3978,7 @@ PHP_FUNCTION(openssl_pkey_new) + RSA *rsa = RSA_new(); + if (rsa) { + if (php_openssl_pkey_init_and_assign_rsa(pkey, rsa, data)) { +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = pkey; ++ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true); + return; + } + RSA_free(rsa); +@@ -4076,11 +3996,10 @@ PHP_FUNCTION(openssl_pkey_new) + if (pkey) { + DSA *dsa = DSA_new(); + if (dsa) { +- if (php_openssl_pkey_init_dsa(dsa, data)) { ++ bool is_private; ++ if (php_openssl_pkey_init_dsa(dsa, data, &is_private)) { + if (EVP_PKEY_assign_DSA(pkey, dsa)) { +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = pkey; ++ php_openssl_pkey_object_init(return_value, pkey, is_private); + return; + } else { + php_openssl_store_errors(); +@@ -4101,13 +4020,10 @@ PHP_FUNCTION(openssl_pkey_new) + if (pkey) { + DH *dh = DH_new(); + if (dh) { +- if (php_openssl_pkey_init_dh(dh, data)) { ++ bool is_private; ++ if (php_openssl_pkey_init_dh(dh, data, &is_private)) { + if (EVP_PKEY_assign_DH(pkey, dh)) { +- php_openssl_pkey_object *key_object; +- +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = pkey; ++ php_openssl_pkey_object_init(return_value, pkey, is_private); + return; + } else { + php_openssl_store_errors(); +@@ -4133,6 +4049,7 @@ PHP_FUNCTION(openssl_pkey_new) + if (pkey) { + eckey = EC_KEY_new(); + if (eckey) { ++ bool is_private = false; + EC_GROUP *group = NULL; + zval *bn; + zval *x; +@@ -4164,6 +4081,7 @@ PHP_FUNCTION(openssl_pkey_new) + // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y' + if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL && + Z_TYPE_P(bn) == IS_STRING) { ++ is_private = true; + d = BN_bin2bn((unsigned char*) Z_STRVAL_P(bn), Z_STRLEN_P(bn), NULL); + if (!EC_KEY_set_private_key(eckey, d)) { + php_openssl_store_errors(); +@@ -4211,10 +4129,7 @@ PHP_FUNCTION(openssl_pkey_new) + } + if (EC_KEY_check_key(eckey) && EVP_PKEY_assign_EC_KEY(pkey, eckey)) { + EC_GROUP_free(group); +- +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = pkey; ++ php_openssl_pkey_object_init(return_value, pkey, is_private); + return; + } else { + php_openssl_store_errors(); +@@ -4249,9 +4164,7 @@ clean_exit: + if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) { + if (php_openssl_generate_private_key(&req)) { + /* pass back a key resource */ +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = req.priv_key; ++ php_openssl_pkey_object_init(return_value, req.priv_key, /* is_private */ true); + /* make sure the cleanup code doesn't zap it! */ + req.priv_key = NULL; + } +@@ -4424,7 +4337,6 @@ PHP_FUNCTION(openssl_pkey_get_public) + { + zval *cert; + EVP_PKEY *pkey; +- php_openssl_pkey_object *key_object; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &cert) == FAILURE) { + RETURN_THROWS(); +@@ -4434,9 +4346,7 @@ PHP_FUNCTION(openssl_pkey_get_public) + RETURN_FALSE; + } + +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = pkey; ++ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ false); + } + /* }}} */ + +@@ -4458,7 +4368,6 @@ PHP_FUNCTION(openssl_pkey_get_private) + EVP_PKEY *pkey; + char * passphrase = ""; + size_t passphrase_len = sizeof("")-1; +- php_openssl_pkey_object *key_object; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|s!", &cert, &passphrase, &passphrase_len) == FAILURE) { + RETURN_THROWS(); +@@ -4473,9 +4382,7 @@ PHP_FUNCTION(openssl_pkey_get_private) + RETURN_FALSE; + } + +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = pkey; ++ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true); + } + + /* }}} */ +-- +2.31.1 + +From c58ef46342a52c8b81ee6f727257a2b471b6d9c3 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Thu, 5 Aug 2021 14:59:16 +0200 +Subject: [PATCH 14/39] Add test for openssl_dh_compute_key() + +This function was not tested at all :( + +(cherry picked from commit 7168f71e00676172e7fcf710adfc07eccd6714e6) +--- + ext/openssl/tests/openssl_dh_compute_key.phpt | 29 +++++++++++++++++++ + 1 file changed, 29 insertions(+) + create mode 100644 ext/openssl/tests/openssl_dh_compute_key.phpt + +diff --git a/ext/openssl/tests/openssl_dh_compute_key.phpt b/ext/openssl/tests/openssl_dh_compute_key.phpt +new file mode 100644 +index 0000000000..8730f4b57d +--- /dev/null ++++ b/ext/openssl/tests/openssl_dh_compute_key.phpt +@@ -0,0 +1,29 @@ ++--TEST-- ++openssl_dh_compute_key() ++--FILE-- ++<?php ++ ++$privateKey = <<<'KEY' ++-----BEGIN PRIVATE KEY----- ++MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBANn6weB11zG7izhfzM4qsITZ ++3q/ORkF6+h3RTn7sh8Ji1MpHt3zHcPfdYFvs7V5SJfNN5Xv9L62RN8GwgxwRWIJr ++8VBHfL3LyZNMMgnGBGJR0qmoM48iNd8i2ggZYj+H8WVh2y6tGw1YsDI3AFHpZFkN ++TvCT1JHl2JfNEgOgSryBO84KDEWLxWaN/4Nqa9x5R0fxKMLjpWNRzEBBKcVeEHIZ ++gzl7VKVJEpYC336sjYJE19ZD0O/gWl+q4WeRpDazDi6LDLZgnoDrUgbNAXtDETKL ++gKOnYq+iwRWCQicQmaQvGXntmgdriExVacrRnH8o09ioxcVdtPG8WuLeqJczCvsC ++AQIEggEEAoIBAH1yv00aZkw/7IIAJL1fZUrpVeO3xKIQDl982HOKS32+o2mUJWbc ++DuDMIOvqiUEltEnFQOqDaJue0ucseJdH5Q9JHlSIhuUQiPB/JfEcPlb2QYzXHuAE ++fWS94X0wiSxYgKXIL0XceA3yg5bYhDSR3DntdJrbboyYHt/QGQ8WCWiYEa402ovI ++x+r7k3BlGxah33HeuqhMCFAfFvWUhLaj85QEmjHTjVMKeeTlNfBS+nscbCcZvLXd ++qanvRxYYGdOhgLTcJe/iUsxmAWVTiqrid8MEvtFrenanawTgnPXAp5WtYTCGcsiQ ++TBG24ND/tnZpPoPz/Rwlpo1IL4IbvKGRsfU= ++-----END PRIVATE KEY----- ++KEY; ++ ++$publicKey = hex2bin("29ECC536A85A4AFAD7D63E50545C68CE44A834396886E9A7BAC27E3A08A14C05259BA6E9940FDC512457155A60CAFACD8E43897E1B537A282D39697B75357197B5E3AD7F1826C0216604496AFAEF8999FBCE336C148166AE23E77EC66C0611235110FA8D6180A26425154959FACEC18FEE3EDA68E9355627820C14B44B486C9547ECE62BE72D56A7FAC4747AFCF201D8A4155F63A076234D6BC04DE27E7A7849BF8956E3DB6E51C043CB6FC66889ADE1F8DE756E9194838E8EF8A5CF9C0DD553282DE8A3130CA7752C22C191E5C352AC3BD77EF9270BF37BC807BBDB3F39AE7966B013723E71EAF41082A056D994F64B428183C5BAFEE9C7A41CABCEA868FC34"); ++ ++echo bin2hex(openssl_dh_compute_key($publicKey, openssl_get_privatekey($privateKey))), "\n"; ++ ++?> ++--EXPECT-- ++b0049944fa5d36f364dd02e675dde50f8c2d67481c5cf0fe2f248d383eec1d38c23d5ed2644fbef2676bcd6ce148361ca82619c8f93e10506cb89d0a1bdaa0f0bc6f68cef0f7cb6d97d43e8dda3c7a5c5a98ebd2342a605ce530fd46a0602d28d4afc48e92088d0bc42194ca8682a85317f812d81b86cd284eed405df2f76aae84ccd560856e8a3d0ce4f591394bca02eb8a1984ebb41bb19714fb8b579bcafd36a9051d51d075f66229893289d8a0c918bfd222f17803cc532d2cf93bb2a567953323ca409beb3237faae9c6fdfc671594324953badd07dd4770ee09fd19f90045654c5709e92aa614b83594c2f62a8bc3c7e786e54bc1259a0a737c70dd4cc +-- +2.31.1 + +From fbb478f86081d4d879d1ed644c37842e0d9b1192 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Thu, 5 Aug 2021 14:52:56 +0200 +Subject: [PATCH 15/39] Extract php_openssl_pkey_derive() function + +To allow sharing it with the openssl_dh_compute_key() implementation. + +(cherry picked from commit c6542b2a1e431e7fa980bd97c696c8c48fb58dc3) +--- + ext/openssl/openssl.c | 77 +++++++++++++++++++++++-------------------- + 1 file changed, 41 insertions(+), 36 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 1fca64df15..bf3f70d355 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4560,6 +4560,34 @@ PHP_FUNCTION(openssl_pkey_get_details) + } + /* }}} */ + ++static zend_string *php_openssl_pkey_derive(EVP_PKEY *key, EVP_PKEY *peer_key, size_t key_size) { ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(key, NULL); ++ if (!ctx) { ++ return NULL; ++ } ++ ++ if (EVP_PKEY_derive_init(ctx) <= 0 || ++ EVP_PKEY_derive_set_peer(ctx, peer_key) <= 0 || ++ (key_size == 0 && EVP_PKEY_derive(ctx, NULL, &key_size) <= 0)) { ++ php_openssl_store_errors(); ++ EVP_PKEY_CTX_free(ctx); ++ return NULL; ++ } ++ ++ zend_string *result = zend_string_alloc(key_size, 0); ++ if (EVP_PKEY_derive(ctx, (unsigned char *)ZSTR_VAL(result), &key_size) <= 0) { ++ php_openssl_store_errors(); ++ zend_string_release_ex(result, 0); ++ EVP_PKEY_CTX_free(ctx); ++ return NULL; ++ } ++ ++ ZSTR_LEN(result) = key_size; ++ ZSTR_VAL(result)[key_size] = 0; ++ EVP_PKEY_CTX_free(ctx); ++ return result; ++} ++ + /* {{{ Computes shared secret for public value of remote DH key and local DH key */ + PHP_FUNCTION(openssl_dh_compute_key) + { +@@ -4567,7 +4595,6 @@ PHP_FUNCTION(openssl_dh_compute_key) + char *pub_str; + size_t pub_len; + DH *dh; +- EVP_PKEY *pkey; + BIGNUM *pub; + zend_string *data; + int len; +@@ -4578,11 +4605,12 @@ PHP_FUNCTION(openssl_dh_compute_key) + + PHP_OPENSSL_CHECK_SIZE_T_TO_INT(pub_len, pub_key, 1); + +- pkey = Z_OPENSSL_PKEY_P(key)->pkey; ++ EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey; + + if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) { + RETURN_FALSE; + } ++ + dh = EVP_PKEY_get0_DH(pkey); + if (dh == NULL) { + RETURN_FALSE; +@@ -4612,59 +4640,36 @@ PHP_FUNCTION(openssl_pkey_derive) + { + zval *priv_key; + zval *peer_pub_key; +- EVP_PKEY *pkey = NULL; +- EVP_PKEY *peer_key = NULL; +- EVP_PKEY_CTX *ctx = NULL; +- size_t key_size; + zend_long key_len = 0; +- zend_string *result; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "zz|l", &peer_pub_key, &priv_key, &key_len) == FAILURE) { + RETURN_THROWS(); + } + +- RETVAL_FALSE; + if (key_len < 0) { + zend_argument_value_error(3, "must be greater than or equal to 0"); + RETURN_THROWS(); + } + +- key_size = key_len; +- pkey = php_openssl_pkey_from_zval(priv_key, 0, "", 0); ++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(priv_key, 0, "", 0); + if (!pkey) { +- goto cleanup; ++ RETURN_FALSE; + } + +- peer_key = php_openssl_pkey_from_zval(peer_pub_key, 1, NULL, 0); ++ EVP_PKEY *peer_key = php_openssl_pkey_from_zval(peer_pub_key, 1, NULL, 0); + if (!peer_key) { +- goto cleanup; +- } +- +- ctx = EVP_PKEY_CTX_new(pkey, NULL); +- if (!ctx) { +- goto cleanup; +- } +- +- if (EVP_PKEY_derive_init(ctx) > 0 +- && EVP_PKEY_derive_set_peer(ctx, peer_key) > 0 +- && (key_size > 0 || EVP_PKEY_derive(ctx, NULL, &key_size) > 0) +- && (result = zend_string_alloc(key_size, 0)) != NULL) { +- if (EVP_PKEY_derive(ctx, (unsigned char*)ZSTR_VAL(result), &key_size) > 0) { +- ZSTR_LEN(result) = key_size; +- ZSTR_VAL(result)[key_size] = 0; +- RETVAL_NEW_STR(result); +- } else { +- php_openssl_store_errors(); +- zend_string_release_ex(result, 0); +- RETVAL_FALSE; +- } ++ EVP_PKEY_free(pkey); ++ RETURN_FALSE; + } + +-cleanup: ++ zend_string *result = php_openssl_pkey_derive(pkey, peer_key, key_len); + EVP_PKEY_free(pkey); + EVP_PKEY_free(peer_key); +- if (ctx) { +- EVP_PKEY_CTX_free(ctx); ++ ++ if (result) { ++ RETURN_NEW_STR(result); ++ } else { ++ RETURN_FALSE; + } + } + /* }}} */ +-- +2.31.1 + +From f8f202ae92bf2c92cec4ad8d6bf2f57236ccd976 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Thu, 5 Aug 2021 15:58:20 +0200 +Subject: [PATCH 16/39] Avoid DH_compute_key() with OpenSSL 3 + +Instead construct a proper EVP_PKEY for the public key and +perform a derive operation. + +Unfortunately we can't use a common code path here, because +EVP_PKEY_set1_encoded_public_key() formerly known as +EVP_PKEY_set1_tls_encodedpoint() does not appear to work with +DH keys prior to OpenSSL 3. + +(cherry picked from commit cb48260fdd7e8a5a636e68917eca484530af5c94) +--- + ext/openssl/openssl.c | 64 +++++++++++++++++++++++++++---------------- + 1 file changed, 40 insertions(+), 24 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index bf3f70d355..91d2589aad 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4588,16 +4588,48 @@ static zend_string *php_openssl_pkey_derive(EVP_PKEY *key, EVP_PKEY *peer_key, s + return result; + } + ++static zend_string *php_openssl_dh_compute_key(EVP_PKEY *pkey, char *pub_str, size_t pub_len) { ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ EVP_PKEY *peer_key = EVP_PKEY_new(); ++ if (!peer_key || EVP_PKEY_copy_parameters(peer_key, pkey) <= 0 || ++ EVP_PKEY_set1_encoded_public_key(peer_key, (unsigned char *) pub_str, pub_len) <= 0) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(peer_key); ++ return NULL; ++ } ++ ++ zend_string *result = php_openssl_pkey_derive(pkey, peer_key, 0); ++ EVP_PKEY_free(peer_key); ++ return result; ++#else ++ DH *dh = EVP_PKEY_get0_DH(pkey); ++ if (dh == NULL) { ++ return NULL; ++ } ++ ++ BIGNUM *pub = BN_bin2bn((unsigned char*)pub_str, (int)pub_len, NULL); ++ zend_string *data = zend_string_alloc(DH_size(dh), 0); ++ int len = DH_compute_key((unsigned char*)ZSTR_VAL(data), pub, dh); ++ BN_free(pub); ++ ++ if (len < 0) { ++ php_openssl_store_errors(); ++ zend_string_release_ex(data, 0); ++ return NULL; ++ } ++ ++ ZSTR_LEN(data) = len; ++ ZSTR_VAL(data)[len] = 0; ++ return data; ++#endif ++} ++ + /* {{{ Computes shared secret for public value of remote DH key and local DH key */ + PHP_FUNCTION(openssl_dh_compute_key) + { + zval *key; + char *pub_str; + size_t pub_len; +- DH *dh; +- BIGNUM *pub; +- zend_string *data; +- int len; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "sO", &pub_str, &pub_len, &key, php_openssl_pkey_ce) == FAILURE) { + RETURN_THROWS(); +@@ -4606,32 +4638,16 @@ PHP_FUNCTION(openssl_dh_compute_key) + PHP_OPENSSL_CHECK_SIZE_T_TO_INT(pub_len, pub_key, 1); + + EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey; +- + if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) { + RETURN_FALSE; + } + +- dh = EVP_PKEY_get0_DH(pkey); +- if (dh == NULL) { +- RETURN_FALSE; +- } +- +- pub = BN_bin2bn((unsigned char*)pub_str, (int)pub_len, NULL); +- +- data = zend_string_alloc(DH_size(dh), 0); +- len = DH_compute_key((unsigned char*)ZSTR_VAL(data), pub, dh); +- +- if (len >= 0) { +- ZSTR_LEN(data) = len; +- ZSTR_VAL(data)[len] = 0; +- RETVAL_NEW_STR(data); ++ zend_string *result = php_openssl_dh_compute_key(pkey, pub_str, pub_len); ++ if (result) { ++ RETURN_NEW_STR(result); + } else { +- php_openssl_store_errors(); +- zend_string_release_ex(data, 0); +- RETVAL_FALSE; ++ RETURN_FALSE; + } +- +- BN_free(pub); + } + /* }}} */ + +-- +2.31.1 + +From fbb13f6bf183f1d2d95fe2aa48edce300aad5fd7 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Wed, 4 Aug 2021 14:54:59 +0200 +Subject: [PATCH 17/39] Use different algorithm in pkcs7 tests + +The default of OPENSSL_CIPHER_RC2_40 is no longer (non-legacy) +supported in OpenSSL 3, specify a newer cipher instead. + +We should probably either change the default (if acceptable) or +make the parameter required. + +(cherry picked from commit 563b3e3472d7c5e3502fb49ef023b6e18ed0f22a) +--- + .../tests/openssl_pkcs7_decrypt_basic.phpt | 3 ++- + .../tests/openssl_pkcs7_encrypt_basic.phpt | 23 ++++++++++--------- + 2 files changed, 14 insertions(+), 12 deletions(-) + +diff --git a/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt b/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt +index eb0698da9f..0d4da7a251 100644 +--- a/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt ++++ b/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt +@@ -19,8 +19,9 @@ $single_cert = "file://" . __DIR__ . "/cert.crt"; + $headers = array("test@test", "testing openssl_pkcs7_encrypt()"); + $wrong = "wrong"; + $empty = ""; ++$cipher = OPENSSL_CIPHER_AES_128_CBC; + +-openssl_pkcs7_encrypt($infile, $encrypted, $single_cert, $headers); ++openssl_pkcs7_encrypt($infile, $encrypted, $single_cert, $headers, 0, $cipher); + var_dump(openssl_pkcs7_decrypt($encrypted, $outfile, $single_cert, $privkey)); + var_dump(openssl_pkcs7_decrypt($encrypted, $outfile, openssl_x509_read($single_cert), $privkey)); + var_dump(openssl_pkcs7_decrypt($encrypted, $outfile, $single_cert, $wrong)); +diff --git a/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt b/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt +index ef9b25e70b..7a600bc292 100644 +--- a/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt ++++ b/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt +@@ -20,19 +20,20 @@ $headers = array("test@test", "testing openssl_pkcs7_encrypt()"); + $empty_headers = array(); + $wrong = "wrong"; + $empty = ""; ++$cipher = OPENSSL_CIPHER_AES_128_CBC; + +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers, 0, $cipher)); + var_dump(openssl_pkcs7_decrypt($outfile, $outfile2, $single_cert, $privkey)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $assoc_headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $empty_headers)); +-var_dump(openssl_pkcs7_encrypt($wrong, $outfile, $single_cert, $headers)); +-var_dump(openssl_pkcs7_encrypt($empty, $outfile, $single_cert, $headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $empty, $single_cert, $headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $wrong, $headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $empty, $headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $multi_certs, $headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs) , $headers)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $assoc_headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $empty_headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($wrong, $outfile, $single_cert, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($empty, $outfile, $single_cert, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $empty, $single_cert, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $wrong, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $empty, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $multi_certs, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs), $headers, 0, $cipher)); + + if (file_exists($outfile)) { + echo "true\n"; +-- +2.31.1 + +From e6d9c6b6cfcc255124bb42b409c29db854ff828d Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Thu, 5 Aug 2021 16:30:55 +0200 +Subject: [PATCH 18/39] Use different algorithm in cms tests + +Same as with pkcs7, switch these tests to use an algorithm that +OpenSSL 3 supports out of the box. + +Once again, we should consider changing the default or making it +required. + +(cherry picked from commit ec4d926a80fe93c80d2b52f0178bc627097d9288) +--- + ext/openssl/tests/openssl_cms_decrypt_basic.phpt | 3 ++- + ext/openssl/tests/openssl_cms_encrypt_der.phpt | 3 ++- + ext/openssl/tests/openssl_cms_encrypt_pem.phpt | 3 ++- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ext/openssl/tests/openssl_cms_decrypt_basic.phpt b/ext/openssl/tests/openssl_cms_decrypt_basic.phpt +index 86c70f4fde..709194ec05 100644 +--- a/ext/openssl/tests/openssl_cms_decrypt_basic.phpt ++++ b/ext/openssl/tests/openssl_cms_decrypt_basic.phpt +@@ -15,8 +15,9 @@ $single_cert = "file://" . __DIR__ . "/cert.crt"; + $headers = array("test@test", "testing openssl_cms_encrypt()"); + $wrong = "wrong"; + $empty = ""; ++$cipher = OPENSSL_CIPHER_AES_128_CBC; + +-openssl_cms_encrypt($infile, $encrypted, $single_cert, $headers); ++openssl_cms_encrypt($infile, $encrypted, $single_cert, $headers, cipher_algo: $cipher); + + var_dump(openssl_cms_decrypt($encrypted, $outfile, $single_cert, $privkey)); + print("\nDecrypted text:\n"); +diff --git a/ext/openssl/tests/openssl_cms_encrypt_der.phpt b/ext/openssl/tests/openssl_cms_encrypt_der.phpt +index e7aa8f4dad..06bfcabeb4 100644 +--- a/ext/openssl/tests/openssl_cms_encrypt_der.phpt ++++ b/ext/openssl/tests/openssl_cms_encrypt_der.phpt +@@ -14,8 +14,9 @@ $decryptfile = $tname . ".out"; + $single_cert = "file://" . __DIR__ . "/cert.crt"; + $privkey = "file://" . __DIR__ . "/private_rsa_1024.key"; + $headers = array("test@test", "testing openssl_cms_encrypt()"); ++$cipher = OPENSSL_CIPHER_AES_128_CBC; + +-var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_DER)); ++var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_DER, $cipher)); + if (openssl_cms_decrypt($cryptfile, $decryptfile, $single_cert, $privkey, OPENSSL_ENCODING_DER) == false) { + print "DER decrypt error\n"; + print "recipient:\n"; +diff --git a/ext/openssl/tests/openssl_cms_encrypt_pem.phpt b/ext/openssl/tests/openssl_cms_encrypt_pem.phpt +index 929f3f2e02..4030862391 100644 +--- a/ext/openssl/tests/openssl_cms_encrypt_pem.phpt ++++ b/ext/openssl/tests/openssl_cms_encrypt_pem.phpt +@@ -14,8 +14,9 @@ $decryptfile = $tname . ".pemout"; + $single_cert = "file://" . __DIR__ . "/cert.crt"; + $privkey = "file://" . __DIR__ . "/private_rsa_1024.key"; + $headers = array("test@test", "testing openssl_cms_encrypt()"); ++$cipher = OPENSSL_CIPHER_AES_128_CBC; + +-var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_PEM)); ++var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_PEM, $cipher)); + if (openssl_cms_decrypt($cryptfile, $decryptfile, $single_cert, $privkey, OPENSSL_ENCODING_PEM) == false) { + print "PEM decrypt error\n"; + print "recipient:\n"; +-- +2.31.1 + +From 31e60d155d01253ab42f490fecd0f2a5e537bc47 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Thu, 5 Aug 2021 17:07:44 +0200 +Subject: [PATCH 19/39] Use larger key size for DSA/DH tests + +OpenSSL 3 validates allowed sizes strictly, pick minimum sizes +that are supported. + +(cherry picked from commit 1cf4fb739f7a4fa8404a4c0958f13d04eae519d4) +--- + ext/openssl/tests/bug73711.cnf | 3 --- + ext/openssl/tests/bug73711.phpt | 11 ++++++++--- + 2 files changed, 8 insertions(+), 6 deletions(-) + delete mode 100644 ext/openssl/tests/bug73711.cnf + +diff --git a/ext/openssl/tests/bug73711.cnf b/ext/openssl/tests/bug73711.cnf +deleted file mode 100644 +index 0d27d910d4..0000000000 +--- a/ext/openssl/tests/bug73711.cnf ++++ /dev/null +@@ -1,3 +0,0 @@ +-[ req ] +-default_bits = 384 +- +diff --git a/ext/openssl/tests/bug73711.phpt b/ext/openssl/tests/bug73711.phpt +index 0b3f91b8fe..4e4bba8aa8 100644 +--- a/ext/openssl/tests/bug73711.phpt ++++ b/ext/openssl/tests/bug73711.phpt +@@ -6,9 +6,14 @@ if (!extension_loaded("openssl")) die("skip openssl not loaded"); + ?> + --FILE-- + <?php +-$cnf = __DIR__ . DIRECTORY_SEPARATOR . 'bug73711.cnf'; +-var_dump(openssl_pkey_new(["private_key_type" => OPENSSL_KEYTYPE_DSA, 'config' => $cnf])); +-var_dump(openssl_pkey_new(["private_key_type" => OPENSSL_KEYTYPE_DH, 'config' => $cnf])); ++var_dump(openssl_pkey_new([ ++ "private_key_type" => OPENSSL_KEYTYPE_DSA, ++ "private_key_bits" => 1024, ++])); ++var_dump(openssl_pkey_new([ ++ "private_key_type" => OPENSSL_KEYTYPE_DH, ++ "private_key_bits" => 512, ++])); + echo "DONE"; + ?> + --EXPECTF-- +-- +2.31.1 + +From b93f08093684d24a80857fec7ede1c41f440cff5 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Wed, 4 Aug 2021 13:54:26 +0200 +Subject: [PATCH 20/39] Skip some tests if cipher not available + +(cherry picked from commit d23a8b33abc3cd7e516563877a3f698b7a94ac10) +--- + ext/openssl/tests/bug71917.phpt | 1 + + ext/openssl/tests/bug72362.phpt | 1 + + ext/openssl/tests/openssl_decrypt_basic.phpt | 15 ++++++++++----- + 3 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/ext/openssl/tests/bug71917.phpt b/ext/openssl/tests/bug71917.phpt +index a68cf0162c..0cc518c4ef 100644 +--- a/ext/openssl/tests/bug71917.phpt ++++ b/ext/openssl/tests/bug71917.phpt +@@ -3,6 +3,7 @@ Bug #71917: openssl_open() returns junk on envelope < 16 bytes + --SKIPIF-- + <?php + if (!extension_loaded("openssl")) die("skip openssl not loaded"); ++if (!in_array('rc4', openssl_get_cipher_methods())) die('skip rc4 not available'); + ?> + --FILE-- + <?php +diff --git a/ext/openssl/tests/bug72362.phpt b/ext/openssl/tests/bug72362.phpt +index cd6ec1e838..b73cac7425 100644 +--- a/ext/openssl/tests/bug72362.phpt ++++ b/ext/openssl/tests/bug72362.phpt +@@ -3,6 +3,7 @@ Bug #72362: OpenSSL Blowfish encryption is incorrect for short keys + --SKIPIF-- + <?php + if (!extension_loaded("openssl")) die("skip openssl not loaded"); ++if (!in_array('bf-ecb', openssl_get_cipher_methods())) die('skip bf-ecb not available'); + ?> + --FILE-- + <?php +diff --git a/ext/openssl/tests/openssl_decrypt_basic.phpt b/ext/openssl/tests/openssl_decrypt_basic.phpt +index 4175e703d2..e846b42e78 100644 +--- a/ext/openssl/tests/openssl_decrypt_basic.phpt ++++ b/ext/openssl/tests/openssl_decrypt_basic.phpt +@@ -24,10 +24,15 @@ $padded_data = $data . str_repeat(' ', 16 - (strlen($data) % 16)); + $encrypted = openssl_encrypt($padded_data, $method, $password, OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING, $iv); + $output = openssl_decrypt($encrypted, $method, $password, OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING, $iv); + var_dump(rtrim($output)); +-// if we want to prefer variable length cipher setting +-$encrypted = openssl_encrypt($data, "bf-ecb", $password, OPENSSL_DONT_ZERO_PAD_KEY); +-$output = openssl_decrypt($encrypted, "bf-ecb", $password, OPENSSL_DONT_ZERO_PAD_KEY); +-var_dump($output); ++ ++if (in_array("bf-ecb", openssl_get_cipher_methods())) { ++ // if we want to prefer variable length cipher setting ++ $encrypted = openssl_encrypt($data, "bf-ecb", $password, OPENSSL_DONT_ZERO_PAD_KEY); ++ $output = openssl_decrypt($encrypted, "bf-ecb", $password, OPENSSL_DONT_ZERO_PAD_KEY); ++ var_dump($output === $data); ++} else { ++ var_dump(true); ++} + + // It's okay to pass $tag for a non-authenticated cipher. + // It will be populated with null in that case. +@@ -39,5 +44,5 @@ var_dump($tag); + string(45) "openssl_encrypt() and openssl_decrypt() tests" + string(45) "openssl_encrypt() and openssl_decrypt() tests" + string(45) "openssl_encrypt() and openssl_decrypt() tests" +-string(45) "openssl_encrypt() and openssl_decrypt() tests" ++bool(true) + NULL +-- +2.31.1 + +From bc8281431c8ce82c232fee5674b945af95bbd860 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Thu, 5 Aug 2021 16:29:43 +0200 +Subject: [PATCH 21/39] Use different cipher in one more CMS test + +Followup to ec4d926a80fe93c80d2b52f0178bc627097d9288 -- I failed +to squash in this commit. + +(cherry picked from commit a2c201351b32b1a7c44f6c6692c2a9fca9179e17) +--- + .../tests/openssl_cms_encrypt_basic.phpt | 23 ++++++++++--------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/ext/openssl/tests/openssl_cms_encrypt_basic.phpt b/ext/openssl/tests/openssl_cms_encrypt_basic.phpt +index f1a0c6af8b..ee706ebfba 100644 +--- a/ext/openssl/tests/openssl_cms_encrypt_basic.phpt ++++ b/ext/openssl/tests/openssl_cms_encrypt_basic.phpt +@@ -18,20 +18,21 @@ $headers = array("test@test", "testing openssl_cms_encrypt()"); + $empty_headers = array(); + $wrong = "wrong"; + $empty = ""; ++$cipher = OPENSSL_CIPHER_AES_128_CBC; + +-var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $headers)); +-var_dump(openssl_cms_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers)); ++var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers, cipher_algo: $cipher)); + var_dump(openssl_cms_decrypt($outfile, $outfile2, $single_cert, $privkey)); + readfile($outfile2); +-var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $assoc_headers)); +-var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $empty_headers)); +-var_dump(openssl_cms_encrypt($wrong, $outfile, $single_cert, $headers)); +-var_dump(openssl_cms_encrypt($empty, $outfile, $single_cert, $headers)); +-var_dump(openssl_cms_encrypt($infile, $empty, $single_cert, $headers)); +-var_dump(openssl_cms_encrypt($infile, $outfile, $wrong, $headers)); +-var_dump(openssl_cms_encrypt($infile, $outfile, $empty, $headers)); +-var_dump(openssl_cms_encrypt($infile, $outfile, $multi_certs, $headers)); +-var_dump(openssl_cms_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs) , $headers)); ++var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $assoc_headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $empty_headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($wrong, $outfile, $single_cert, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($empty, $outfile, $single_cert, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $empty, $single_cert, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $outfile, $wrong, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $outfile, $empty, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $outfile, $multi_certs, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs), $headers, cipher_algo: $cipher)); + + if (file_exists($outfile)) { + echo "true\n"; +-- +2.31.1 + +From c42a69def274fb77cbcb3db4189841e3f582803a Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Fri, 6 Aug 2021 10:35:49 +0200 +Subject: [PATCH 22/39] Generate pkcs12_read test inputs on the fly + +The old p12_with_extra_certs.p12 file uses an unsupported something. + +(cherry picked from commit 5843ba518cfb9ac6ae6d6a69629239cbf77d4cfb) +--- + ext/openssl/tests/bug74022_2.phpt | 10 ++-- + .../tests/openssl_pkcs12_read_basic.phpt | 46 ++++++++++-------- + ext/openssl/tests/p12_with_extra_certs.p12 | Bin 3205 -> 0 bytes + 3 files changed, 31 insertions(+), 25 deletions(-) + delete mode 100644 ext/openssl/tests/p12_with_extra_certs.p12 + +diff --git a/ext/openssl/tests/bug74022_2.phpt b/ext/openssl/tests/bug74022_2.phpt +index 5df37fb3c9..9c38387157 100644 +--- a/ext/openssl/tests/bug74022_2.phpt ++++ b/ext/openssl/tests/bug74022_2.phpt +@@ -12,11 +12,13 @@ function test($p12_contents, $password) { + var_dump(count($cert_data['extracerts'])); + } + +-$p12_base64 = 'MIIW+QIBAzCCFr8GCSqGSIb3DQEHAaCCFrAEghasMIIWqDCCEV8GCSqGSIb3DQEHBqCCEVAwghFMAgEAMIIRRQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIQOfCxIAgGIICAggAgIIRGFTkvHpJjCtFjukXYVlhyOIqKiS8Zvg84dX244hhI0S51Uyn/tlXM2GD/3hDNVxcVKwP/fKN21lEkoXoK4h2/5BY3qCdZa3Ef3vk44b/+FGCUAqvsOo1ZjD2P/sBGhLu3aFnQ6ktUXlKV4cnqhlF62AqY4e5efQzmJXn+gI8cSNI5c+qQ0RQgGoRY4nJfvMSZG0/DAkirjGikU/2TZd8LwLkxVUBYbF5/T0fNtA3o99+4tF+8ZRv6ArYjplRdwcBbMbzGhn3ytCq6cmVid9iLjwHJFmvAPXKbmu0Lh5eRRznX9gBWlzGd08Q/ch0MW2ehZTu1A2VrNWl+FKWSk8l0MlSoTPJFutFiejRvMr6VzbQItyJ/mtrNa9b1Hicgoj9HaBB6arx4wKORlbSOxFNOWdTCUhFdqthK5o7b9i/owyVgyY0s7BFEZChc0zGpRq7BLrynY79b+pHKzpil9isuisp1++piHZx9Y/bpC7OP5FlYF9+3TJL0EpEFQD8FqEoqcMFRxIDWGpCQiLGcmL14OH1JKSgOJEAgogsIF/KQhvWeKcUSJlai+0sskl8mOrCt2EJwuRvzmemuzebYN3JMOiBXKONYR0yU8AeAyNTgSBimWhACtikUyfpgZXlIeXyFMvj9fmd0I/zqjaW4upqrCudCOj/CWx7+e+8udfJxI7agWwrZMf1BEkOhRFOHOIuV+IEbaoMP6vVrGlhK71oN+gnoes5ivohpFDJWSZ3+1fMh56vfNynuM2wLJO7FTROPla+4ug33V/2ubGpoIyXn2lTSbuXaYDfsXMa1inakOMW9Q+PHGdIjZrwQU/u9Q2H0IlwFd4uQojZo15SRf4xh5FOuUrrfGRAnp1mWHALTBqd2VnkgqtBl8rXZXqA+CiEhEDhTAQmvf+wCKd3FklrhV+p65YcfRK9OJv5aFQM1/+WbJozF4/Wi5j4rtIDPrgMMEflOyoZIxGxDOaklyAvaasRU2TT8E2LIEvGKOzlrhIZqWyRESjgXdh6l0UBMaVAidIZ0JLf+8fqSZ0Zia5iAaJpm82MQr/PVXC4lqqxDlHhefwM3OKfZVkfAw0a2eePM5YkIxAgMpAstBt32UIixlj/5l4MwqzP8Reb4MsV6Fph2e14vsV1diLBaJI3hrU5UBVEDWV0GSbwdhZLtdubSaBHcv5v9aZ1cdFKL6d2rHksW9ooNnh/ljPxmVlfHbb8sPYDXmLmBNJdNV1gQouhKKrt0ov1J9+sqE53D9+9dfRwf/myYlnyNgqU4vNMrZI2flyugkYoUxIC8stVF46zfL5QkSg3GqdLQC4gpeJ0WdTSyOBaOgUvqGdSARb5bXm1VXF5IxVg1B4v+puNIHS9yuphXUJvw6xWWPjbQAllDrPjMqAbxmF465vFyQP0qEvMjRD+SaFIgW4KjMqfteKo4MgqKTRF4UP9r0HkwRErOznxWDfSxzXYztY6U72NdifN9IIFiBikKQqZvfvaN+1jukehSRpGQHQB5OxeeKThJZJGiUC5Fgvl7lPb6Djx8Rfba/FJvVsR2KFS64sArtUKmC6LcJxEY9WcsiJTHek817zvYej7FD1NxuttNp+ue9ArOoIhOEf08HIOu3d2yjeRlN5CJ/jIdKYlZW6m6Ap1M+OUHhJTF73K6lKKD9Diwa3s6FoqOwtZF4uYwHnCG218BMY8GgEVD73x5KjDOP02Y6EakZNp/9QIqQT4WkMWXMaqAPADtoh8X1FJLlnvs2Ko+hLlPxuPaIA4KvSuuocnWx/6HJbdqHUS/Se+JJo0Igt4Svax1R2kvoIPuQmPmHJ6l7CeZZiNbe+baFSx+V6g/6AgHUsUOSqGvUIEns1uIE9CQ8w0G3yLVonjERJLrdj+em3Pt7fxrxoOI4nwjplX0wJk0rkQREiS8ULQDHueptUcxJxMKpugAc4CL+BsHohkhm4kpOEmviKDwzxytQhDp2Fj2PRO9kqyNrNfzNGCN5709blEIVYTtonELI2vR5Ap+O2pH+AlqrnHWgeOYAKAyWT13xCNRsGNdv2sCDDiHqxq01IBzYhPvoWzECOmGbJRRSGOVzYCJJpVjl0NNKv9ucmftSQRjm6xgLIqv1xrehDYuJ/IMsYQ5QwXBGxy7nkeRg+onWzA0ZnEWgzLs3T/Pj7z/TPQWiN03MH24RvQXTWBqp9iBwXpsCZVgUIM/VLCQJn0/V5gfRy9Ne0rk2/tHMnzGHvll5Spoy6WkxSfQ8c8CjTilaoPWV6fOcNB2Z6ZuTqX0fbnxcEAu2fOK7e6ryGipEgaxrdiopDTlgPEFMdGUETbUh0ACrv/gNsS+m5MtNisWnhxFEiXrsWoWIgW/6TgRJGo+l52bh/xxC0bwHbYuHK62sxDVeXpBOnA4VE+WckWsC0CKYJvv4vfTbLI46fyd3lnlcSuHYM4SdbND7THNeK+KB5GyuUFLgAhhtZv8ceEo63IOlBUUy1NlWnr0cbidxvVnOugFLExCV5QGr+xbrssIibQxs8AfOBK8Cxh83IlzJVe7dX1mZVG1c6AM6SKSC6F0LBOeNEvcLlz4PBMIciubCE6ecdXCzJYFbj9ERDlnrZMKrnATRMsgCPaWdyYgQwkDuCj5uqf4aiKLzA61918hLY3MB7mSyJcCkXDYKr11Br0YSAdu8uG6IjpiUQS2PFz8E8XHBmO/uobhEuCPR2LnUv+xFN8zoPQlA5ueRz1yBF8L+CsvDGp/N3KF26ETWlvmnEdt7foE+o/J7aG6xO/CNB+/+yGbVPZRVAntZec9nbqlQ55qECnWtQNnShW7+3RSGamWeTtE2DyRSfd/62JkPNEY25jbBUIkMNtKolA5dbYa+u50S3lvakMmvQvzcSC3PONajKHgk4mBn3qf9X2uM5RDL83M7489r6JPcxTnNK27rQoxplkxLiN8HuB+AB5hp82WoyvLydR4hoBnJPIYKMcmEfIR+SgLoCyNIQLjzk5Iyk1ZwdwsjyNPXi1/HHZq8+NhoTCupjGfWgXghoz89MTYAjpMvOlES2rgFuCdphSc8Nd1uQtZx4CLMOU0gut0PI81ePBBI0iG74PWMEcp5HlHHY/hPTaRkBFLYkq9CWmJc1PfjiCWf3pwRmT7dUnmcptynexIMOZt2Nd76jc+g7k5MmEK+Qdz7/c1un4sVLquxdY6nUY/znLz+2zC/OTSsF39+rak3p8TXR0kBNsHl8UTioi4CGhCMsWsQy9me25TDHzbtIvBPVp9xXufsOe2wqPLjq3iNEGXTsagx3sLvl7BJ6WW/YMC7sUpjx1Ai3zkqViW0jQB+BzMZjfYM/8Yj31EEE+WssxY+NfitBgZzeMGGjNOAKp7XN0glwhuo1G2/APyU/Zopx3gMYj5OExgkZ7kvK++7+NlPmE+8AEuZ/uf30TtKwvRXOSvAMqqm26kb/WQPCj1xFQ0AEDl0Sbyfgk1E51Cd/ujL0t32FNkSoE8pe3IaTnwAnW7NHTZ/RByh2nsr0ThfFg4pFFuSD4dzU8r2J/4YJG3B06eyyTRLoyLBQwzwIgzGBAU8USdD8CXlA8SkfBbF39500ZRNcMIt6wdQa1CHAUHDLPw9JF9Q0FwCspgkjc9+lTRZMtumN5ChgypSkUB1dzLV2hqeQzDngVjcco/CoxM0Svm8gGrM9qobCTGzGF8/wZljv1yRiqu6HGFYWDAQ/p+wWx6ScstxEAB+5R5GrOedgd4zPXi2NMvyeN+ACFRBSPkhXIXpLZADvBi/WQMYbHia1wL8WUrSGQuB4P46cWGyseaxl//6GQ9IoGbK3XuLIPeE+BpPLB0H9LSLY+5f3qOEkKzCCW0z+68ZMlanlsThLKhqk8yrmJhV4788Tr7BC3eGbAie1urrrfUR613Jsp5peLSJuWQHdWCE/fdKgoSsRJ+DYkPoyS1YNz4BF4yz1Oem9Mti7gvgTQNX6g6PCu0rN8B6HIgY9TvWy5OCoZjJKasb+OgTMld7TJDnyK5/JcvDKHNVwcpK74lxcVX7IRorP/eh4IQ1+P/Gh06A62RHp2dEh/fNuKeCiRM2vGH0gdIN/Ca6MX8MqazgJq2EONyWiqRoGPqqZpAVTa8l5kgGvxQE/CQ4x0uAxwresRRTUZ+fJEanAhTWYgI5mRoEkG88UZjyCWmCnpNMQRYHoq7iY0So5qUdkHvpUA48cNMyztPEEHsUyWC36ZCyNsQN26FoJrG9TqXedBrhcki0sPOWugvKtGsdTT354wJTDe5OCo0AH3eFo/auuuAk/DF7yu614UCmKtXHYJ61GpIkjBu9WrPAIJhndMqfGMD/yU4UMEPHyojqHvU0BSgv1k76vI3K2lqERkaNYFfzRNj+e7k+NNos8w7XCzilWBL2ePB3pG5xfivcH4tYFm0FbnIkSz52VIy+PTiK7QQuBPDRTcn1k41+9vxQxRWpsqM/NP+4gqGozNyANXLQ64Y+QXSnWrD+xMjL/kVFwUBJ2HaAIJHjZ7ZqLRzXVOUbQ9pivJiBkXvLptSo72Iw4zsbRd1x8WNEaihx1MBAj+s+4MNdC5MBkQMlSB0PTJzs9xlz0gN+Oz0lohH6JO7ngPJUYbo2AIWEYZN+9kn/RyHblQTElrJeLf1jGNi4anBfzbsIXQuVm/nsrE5MH23X66+rJzUk8Fc5JAIDGBslkDPg3UNnElcE3cYbcB/ZzjFtgz8ducWKQmI+Yqv4p7BVXji/rHPim8vL6P5xZc95tbIonp5bQH+PPSmcfDk3rrf5mS58dJvWh/UpwcfdVvUAsWLJEV1lUBg1qecVbCsa6Oy7tJ2ZK7e3KdtZrmXiYpSAnSzRNJotr4g4H99brG6IwUx3qk5BE4x3C8MpSb+1NcKnM9nhqwAGRb9sfVXG38eNltm7hDnsolQcFQmHkDSM4arUVRqmsG8O16bThtlFWbYYN355aGQxrO2pICnt0ZOAI5CA3Rl8FprhFZgVy4pcpMVwy2zCNaYGJoGYsxDm/lEWJbTGcVm6YkyaZvdkXM1uAVegLZOCKnlW9H7b1uU3NvUw4Qx3DhI5xMD9jZhlXIsYfa9s5NQjTeIX8fFbx1fdENpHjVRxs82DO26uLEaJpoL/Ywn1xfs1uV0VQb2NGPvUJKysjMRoX0Zfa0hsSBhw/ZSlyX1xfQY8ShusVswf3zEnwI1LTgtr0CvBNwnuaSDv/IoypEfCOuMrJEGJuTPDbGGyS4VeRf0He5Dk9RskehgrJcwhlw+hXajR6SluODcsEGfL+eOUjAOO9agWaqM2CfV52/vJNhA5KMEJwHuQAU1SHr4+xaW4EKWPlxB6Sjjz/IuL+toLBetBA3ZhEfokac6rQplUIiOICd3Ghwi1rpUZPL5YuP0murhpBGTdzMzGSMhSZ74LeAcoRKEG4rKKIS3fRS65QMlaLC6uOT8givHdXsk+4zLBF0BnYAe4bq8RDcpt9TJRczL6+NaxYxa36R+DRin4U1SwaUdIvEKaEDBdVLnzKkpAim5cww1MYkGZmFcVg8u8fSnoz5TeorZy00dQCMCC+SyMb58TTA08UrCOSq07+ILregexlx+Cxpbgpabo858lkJLDpPJmq8YQmog2gaMstJbpyV3M4wf1GL4ylPurPWUuyX58H8oRyX/FH79cpsbyeNoghwfvRVw8/tOUyF1DbA8Lw0HauIHTQwMTOvREPCPmlMvldIUJxHqIpqcsXESIWT/+YaHBiKGueGqPOdkFPtXSyf4t1Ka56M/9ftvdR/oFtr/iApE0Hyosz84INF/Rq9HYd8jrVb3IcQw637U2s4sE+I95+c+VaYxcDq29Jd2jD3uZfn6vbxb7Zz//Z8G4PGBNDns+D/jDoAMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECDpR8wgSXD4AAgIIAASCBMijRdwb0L38qXtBGebx6l35L3eR8/NPfJTyDKqYQOiIhNfYp/f+Ml9g3NlCB+ba03BZBCFSo1a9csjMZ1fDgS5AoNE683hbPdNj6D5JYQtvOpX/D5rawmI0iuDTIc6GOpN5PS0ds9OLnlS6pagq3U7QycuiPR0jVq72qzQUDxnqXU0XO+IwQXFP5UhKrPJe/cbUotznQPGH5g88ydM9YelIvIVImXLlXeVLY8CtzRQPSduX1zckVUMktrpSvqJUhVuN4ikhh+4ga1LvtaziOibk6HNekSlN13sqSQ7GeWGToB1AOmN8i1LZmWRnrPG61dT3uPg0R/5rPq6hrNQvAnx7Mpq7Uz1OuzDzGoaBtX+/CVIpeYLAYm7hdKouT84hk7qsT9ls1Dwb5P1C8HjBWas0KufoyxoHL61A+xGIcHkbOeVNy20AFUf7Xhb+kPlSdOhP3Ik1F2iUXa0pFxqTNcsmTDRzAReciYxVJ0lOTbqX7O6/a+U/sT109GqVGZJcpyk1FCUSk3HWbjSKOhxjpvxqfSKexr9ZOTmih7rBNYSY6sRUYgtpQyWNo8iWilwSP3FCBCbRIJrzJ5O6wn0JDTHONqxS9zENz/MvX8oHEZk+mkpxZA4YCodP10zQjzKHsXI1lRWrUARzpDfqGck1BBXXLrLNDL3w+00ipkTdEgtdhNFtHZ7A0Fda62ys5JTKt/oWSi0FPhjXdGnxf+8rBkB/jlKx99Ue6R4S+ve7Eqyl98TelFvX5C6wa63+/kw4/8L5aSlhrAUyYrykmnZ9nb61YY4HTmwpSJP0tHmr3LHxPVx15vp3KIyrYQVvbap+FvfcLjMoU6ckLQDZpQSJdFo86MdNedrKbwmVN7pV/M2b3DjPp5ixLCSXJgK3RaATIxQL88IDv4+ySL0Z2t6jUopZ40liyDnHGDl9zajeQ1WaW4yHS65aVlzYHSFvCGr8F/4Lydk5ax5HHqna6LbFeuQ4kUcUaGfiIagtFW+ueyfOckqLnwYisjG5fQmheONPHb7jg/qHQoKasD4TvmwrvUcG20c5J57oZ80C94zySYpdHTaETXHEOwz7NBPP1hplC1IaAfbhwZ48Z0kWWqddfELUC5miapzthvzpycOzL6zWmTLjyTXPZrbkqYfVrD26bsD/YOo54BThGcBdEfu2chT2eNF0rRZwF5U9TACfzMFYxUIVRq4rWAaerppkK5JNBT/la2QxUElh9HPn+0GGL1BYYEPCihciwWy2BwJs1IgjhU4ARTlukuxK+WLPTflwvlOX5G1P5D57up8kxtDncR5IIuZJgWWSFLGOkGeHXmjynLMqS1OCzIId3dj0c3EYBnku82eItAQd5fk7/rs0Lg0S1XeVSrgPphTgviGXzTWSh28S3VZJ2G7k4dr1P/sJQounjbcDrFyYaFxYXEqyO9L6vFShO5z7/vD5h9uLPddE4vC6PKJxZoWopWncLcLljuYKG0k+y4MV9U0/cESYJWzBbcZZpULdesinhxMg1wNPu5FeeFCsZpdhN2FadIuu/Kcsk6xNeDDIwwYXb3hVY0ARRAo//LyLv3zDB0LWz1LH3qJQeZ53DbgZ4VXQ6uK0yTgSsH4Lwaj5oFBPp4NJ3hdGa7trpJbeUMIxJTAjBgkqhkiG9w0BCRUxFgQUh6FIxf4sbyJnvvC+6J1NHGaa9w0wMTAhMAkGBSsOAwIaBQAEFFkCkI701QHxh2zcZkzDy8bn7qKwBAjafnZaU5r0FgICCAA='; ++$cert = file_get_contents(__DIR__ . "/public.crt"); ++$priv = file_get_contents(__DIR__ . "/private.crt"); ++$extracert = file_get_contents(__DIR__ . "/cert.crt"); ++$pass = "qwerty"; ++openssl_pkcs12_export($cert, $p12, $priv, $pass, array('extracerts' => [$extracert, $extracert])); + +-$p12 = base64_decode($p12_base64); +- +-test($p12, 'qwerty'); ++test($p12, $pass); + ?> + --EXPECT-- + int(2) +diff --git a/ext/openssl/tests/openssl_pkcs12_read_basic.phpt b/ext/openssl/tests/openssl_pkcs12_read_basic.phpt +index b81b4d9dac..8cb2b41fd7 100644 +--- a/ext/openssl/tests/openssl_pkcs12_read_basic.phpt ++++ b/ext/openssl/tests/openssl_pkcs12_read_basic.phpt +@@ -4,10 +4,12 @@ openssl_pkcs12_read() tests + <?php if (!extension_loaded("openssl")) print "skip"; ?> + --FILE-- + <?php +-$p12_file = __DIR__ . "/p12_with_extra_certs.p12"; +-$p12 = file_get_contents($p12_file); +-$certs = array(); ++ ++$cert = file_get_contents(__DIR__ . "/public.crt"); ++$priv = file_get_contents(__DIR__ . "/private.crt"); ++$extracert = file_get_contents(__DIR__ . "/cert.crt"); + $pass = "qwerty"; ++openssl_pkcs12_export($cert, $p12, $priv, $pass, array('extracerts' => $extracert)); + + var_dump(openssl_pkcs12_read("", $certs, "")); + var_dump(openssl_pkcs12_read($p12, $certs, "")); +@@ -73,24 +75,26 @@ MK80GEnRQIkB7uZVk+r0HusK + ["extracerts"]=> + array(1) { + [0]=> +- string(1111) "-----BEGIN CERTIFICATE----- +-MIIDBjCCAe4CCQDaL5/+UVeXuTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB +-VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +-cyBQdHkgTHRkMB4XDTE1MDYxMDEyNDAwNVoXDTE2MDYwOTEyNDAwNVowRTELMAkG +-A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 +-IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +-AL/IF7bW0vpEg5A054SDqTi5pkSeie6nyIT77qCAVI5PMlhNjxuqDIlLpCWonvKb +-LMRtp7t24BsQBRgQgps8mtfRr0gV1qq9HMfDj2bZdGcTShZN/M/BFATwxaNRTHl9 +-ey8zxGcLd4aFFBlVhXHYdBXg/PG/oxJMAFuMwa+KxSP6Mqp1FlOZtvUUieQcToMf +-Mh8Lbr4g/yHFj5lgWIJ2fmJjHJZ4wf9QBeGUrVqqxzSDEL9f0PGy+grqSHoIzLr3 +-+uhvhoI85nCyZs9+lrELuQKqbiZ8Q6Vmj6JGt3miNBFVTbBpP9GK8sVuVQwgqd8p +-C3e8hHqv7vwF+s0zjiZ+rCcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdpTtiyDJ +-0wLB18iunXCMUJpjc/HVYEp5P9vl2E/bcZfGns/8KxNHoe9mgJycr3mwjCjMjVx2 +-L/9q/8XoT02aBncwAx4oZ2H0qfjZppaUSnSc1Uv+dsldDC2mZvJgwXN7jtQmU5P3 +-cspFHuJoYK8AqYJqlO6E4L9uRF7dLEliUnrBpF4BxziwskTquRX+zgD+fmk0L5O8 +-qqvm8btWCxfng+qD7UHFWbUQ2IegZ3VrBWJ2XsxOvokMM4HoHVb0BZgq8Dvu0XJ9 +-EriEQkcydtrRKtlcWHLKcJuNUnkw2qfj+F8mmdaZib8Apa1UCkt0ZlpyYO3V2ejY +-WIjafwJYrv6f5g== ++ string(1249) "-----BEGIN CERTIFICATE----- ++MIIDbDCCAtWgAwIBAgIJAK7FVsxyN1CiMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD ++VQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5kZSBkbyBTdWwxFTATBgNVBAcTDFBv ++cnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlxdWUgZG8gTi4gQW5nZWxvMR8wHQYJ ++KoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0MB4XDTA4MDYzMDEwMjg0M1oXDTA4 ++MDczMDEwMjg0M1owgYExCzAJBgNVBAYTAkJSMRowGAYDVQQIExFSaW8gR3JhbmRl ++IGRvIFN1bDEVMBMGA1UEBxMMUG9ydG8gQWxlZ3JlMR4wHAYDVQQDExVIZW5yaXF1 ++ZSBkbyBOLiBBbmdlbG8xHzAdBgkqhkiG9w0BCQEWEGhuYW5nZWxvQHBocC5uZXQw ++gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMteno+QK1ulX4/WDAVBYfoTPRTz ++e4SZLwgael4jwWTytj+8c5nNllrFELD6WjJzfjaoIMhCF4w4I2bkWR6/PTqrvnv+ ++iiiItHfKvJgYqIobUhkiKmWa2wL3mgqvNRIqTrTC4jWZuCkxQ/ksqL9O/F6zk+aR ++S1d+KbPaqCR5Rw+lAgMBAAGjgekwgeYwHQYDVR0OBBYEFNt+QHK9XDWF7CkpgRLo ++Ymhqtz99MIG2BgNVHSMEga4wgauAFNt+QHK9XDWF7CkpgRLoYmhqtz99oYGHpIGE ++MIGBMQswCQYDVQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5kZSBkbyBTdWwxFTAT ++BgNVBAcTDFBvcnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlxdWUgZG8gTi4gQW5n ++ZWxvMR8wHQYJKoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0ggkArsVWzHI3UKIw ++DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCP1GUnStC0TBqngr3Kx+zS ++UW8KutKO0ORc5R8aV/x9LlaJrzPyQJgiPpu5hXogLSKRIHxQS3X2+Y0VvIpW72LW ++PVKPhYlNtO3oKnfoJGKin0eEhXRZMjfEW/kznY+ZZmNifV2r8s+KhNAqI4PbClvn ++4vh8xF/9+eVEj+hM+0OflA== + -----END CERTIFICATE----- + " + } + +-- +2.31.1 + +From 8e99695bb1f630edee4ddb44ae78e99190b5efb3 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Fri, 6 Aug 2021 11:15:18 +0200 +Subject: [PATCH 23/39] Do not special case export of EC keys + +All other private keys are exported in PKCS#8 format, while EC +keys use traditional format. Switch them to use PKCS#8 format as +well. + +As the OpenSSL docs say: + +> PEM_write_bio_PrivateKey_traditional() writes out a private key +> in the "traditional" format with a simple private key marker and +> should only be used for compatibility with legacy programs. + +(cherry picked from commit f2d3e75933fa155a5281c824263780dbc660ecb1) +--- + ext/openssl/openssl.c | 36 ++++--------------- + .../tests/openssl_pkey_export_basic.phpt | 6 +++- + 2 files changed, 11 insertions(+), 31 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 91d2589aad..b360b0506e 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4225,21 +4225,9 @@ PHP_FUNCTION(openssl_pkey_export_to_file) + cipher = NULL; + } + +- switch (EVP_PKEY_base_id(key)) { +-#ifdef HAVE_EVP_PKEY_EC +- case EVP_PKEY_EC: +- pem_write = PEM_write_bio_ECPrivateKey( +- bio_out, EVP_PKEY_get0_EC_KEY(key), cipher, +- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); +- break; +-#endif +- default: +- pem_write = PEM_write_bio_PrivateKey( +- bio_out, key, cipher, +- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); +- break; +- } +- ++ pem_write = PEM_write_bio_PrivateKey( ++ bio_out, key, cipher, ++ (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); + if (pem_write) { + /* Success! + * If returning the output as a string, do so now */ +@@ -4297,21 +4285,9 @@ PHP_FUNCTION(openssl_pkey_export) + cipher = NULL; + } + +- switch (EVP_PKEY_base_id(key)) { +-#ifdef HAVE_EVP_PKEY_EC +- case EVP_PKEY_EC: +- pem_write = PEM_write_bio_ECPrivateKey( +- bio_out, EVP_PKEY_get0_EC_KEY(key), cipher, +- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); +- break; +-#endif +- default: +- pem_write = PEM_write_bio_PrivateKey( +- bio_out, key, cipher, +- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); +- break; +- } +- ++ pem_write = PEM_write_bio_PrivateKey( ++ bio_out, key, cipher, ++ (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); + if (pem_write) { + /* Success! + * If returning the output as a string, do so now */ +diff --git a/ext/openssl/tests/openssl_pkey_export_basic.phpt b/ext/openssl/tests/openssl_pkey_export_basic.phpt +index 678b7e7299..5cd68d18b8 100644 +--- a/ext/openssl/tests/openssl_pkey_export_basic.phpt ++++ b/ext/openssl/tests/openssl_pkey_export_basic.phpt +@@ -47,7 +47,11 @@ var_dump($key instanceof OpenSSLAsymmetricKey); + object(OpenSSLAsymmetricKey)#%d (0) { + } + bool(true) +------BEGIN EC PRIVATE KEY-----%a-----END EC PRIVATE KEY----- ++-----BEGIN PRIVATE KEY----- ++MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgs+Sqh7IzteDBiS5K ++PfTvuWuyt9YkrkuoyiW/6bag6NmhRANCAAQ+riFshYe8HnWt1avx6OuNajipU1ZW ++6BgW0+D/EtDDSYeQg9ngO8qyo5M6cyh7ORtKZVUy7DP1+W+eocaZC+a6 ++-----END PRIVATE KEY----- + bool(true) + bool(true) + object(OpenSSLAsymmetricKey)#%d (0) { +-- +2.31.1 + +From 87bec9d2942be4a87cccb0d28cb3e134d692c312 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Fri, 6 Aug 2021 16:51:05 +0200 +Subject: [PATCH 24/39] Switch manual DH key generation to param API + +Instead of using the deprecated low-level interface. + +This should also avoid issues with fetching parameters from +legacy keys, cf. https://github.com/openssl/openssl/issues/16247. + +(cherry picked from commit a7740a0bf00704372353ea4360c3e6b58102a6f7) +--- + ext/openssl/openssl.c | 136 ++++++++++++++++++++++++++++++++++-------- + 1 file changed, 112 insertions(+), 24 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index b360b0506e..06e5adecda 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -56,6 +56,10 @@ + #include <openssl/ssl.h> + #include <openssl/pkcs12.h> + #include <openssl/cms.h> ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++#include <openssl/core_names.h> ++#include <openssl/param_build.h> ++#endif + + /* Common */ + #include <time.h> +@@ -3919,8 +3923,8 @@ static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM + } + /* }}} */ + +-/* {{{ php_openssl_pkey_init_dh */ +-static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data, bool *is_private) ++#if PHP_OPENSSL_API_VERSION < 0x30000 ++static zend_bool php_openssl_pkey_init_legacy_dh(DH *dh, zval *data, bool *is_private) + { + BIGNUM *p, *q, *g, *priv_key, *pub_key; + +@@ -3952,9 +3956,108 @@ static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data, bool *is_private) + return 0; + } + /* all good */ ++ *is_private = true; + return 1; + } +-/* }}} */ ++#endif ++ ++static EVP_PKEY *php_openssl_pkey_init_dh(zval *data, bool *is_private) ++{ ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv_key = NULL, *pub_key = NULL; ++ EVP_PKEY *param_key = NULL, *pkey = NULL; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); ++ OSSL_PARAM *params = NULL; ++ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); ++ ++ OPENSSL_PKEY_SET_BN(data, p); ++ OPENSSL_PKEY_SET_BN(data, q); ++ OPENSSL_PKEY_SET_BN(data, g); ++ OPENSSL_PKEY_SET_BN(data, priv_key); ++ OPENSSL_PKEY_SET_BN(data, pub_key); ++ ++ if (!ctx || !bld || !p || !g) { ++ goto cleanup; ++ } ++ ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p); ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g); ++ if (q) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q); ++ } ++ if (priv_key) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key); ++ if (!pub_key) { ++ pub_key = php_openssl_dh_pub_from_priv(priv_key, g, p); ++ if (!pub_key) { ++ goto cleanup; ++ } ++ } ++ } ++ if (pub_key) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key); ++ } ++ ++ params = OSSL_PARAM_BLD_to_param(bld); ++ if (!params) { ++ goto cleanup; ++ } ++ ++ if (EVP_PKEY_fromdata_init(ctx) <= 0 || ++ EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) { ++ goto cleanup; ++ } ++ ++ if (pub_key || priv_key) { ++ *is_private = priv_key != NULL; ++ EVP_PKEY_up_ref(param_key); ++ pkey = param_key; ++ } else { ++ *is_private = true; ++ PHP_OPENSSL_RAND_ADD_TIME(); ++ EVP_PKEY_CTX_free(ctx); ++ ctx = EVP_PKEY_CTX_new(param_key, NULL); ++ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) { ++ goto cleanup; ++ } ++ } ++ ++cleanup: ++ php_openssl_store_errors(); ++ EVP_PKEY_free(param_key); ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(bld); ++ BN_free(p); ++ BN_free(q); ++ BN_free(g); ++ BN_free(priv_key); ++ BN_free(pub_key); ++ return pkey; ++#else ++ EVP_PKEY *pkey = EVP_PKEY_new(); ++ if (!pkey) { ++ php_openssl_store_errors(); ++ return NULL; ++ } ++ ++ DH *dh = DH_new(); ++ if (!dh) { ++ EVP_PKEY_free(pkey); ++ return NULL; ++ } ++ ++ if (!php_openssl_pkey_init_legacy_dh(dh, data, is_private) ++ || !EVP_PKEY_assign_DH(pkey, dh)) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(pkey); ++ DH_free(dh); ++ return NULL; ++ } ++ ++ return pkey; ++#endif ++} + + /* {{{ Generates a new private key */ + PHP_FUNCTION(openssl_pkey_new) +@@ -4016,28 +4119,13 @@ PHP_FUNCTION(openssl_pkey_new) + RETURN_FALSE; + } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dh", sizeof("dh") - 1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { +- pkey = EVP_PKEY_new(); +- if (pkey) { +- DH *dh = DH_new(); +- if (dh) { +- bool is_private; +- if (php_openssl_pkey_init_dh(dh, data, &is_private)) { +- if (EVP_PKEY_assign_DH(pkey, dh)) { +- php_openssl_pkey_object_init(return_value, pkey, is_private); +- return; +- } else { +- php_openssl_store_errors(); +- } +- } +- DH_free(dh); +- } else { +- php_openssl_store_errors(); +- } +- EVP_PKEY_free(pkey); +- } else { +- php_openssl_store_errors(); ++ bool is_private; ++ pkey = php_openssl_pkey_init_dh(data, &is_private); ++ if (!pkey) { ++ RETURN_FALSE; + } +- RETURN_FALSE; ++ php_openssl_pkey_object_init(return_value, pkey, is_private); ++ return; + #ifdef HAVE_EVP_PKEY_EC + } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "ec", sizeof("ec") - 1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { +-- +2.31.1 + +From 0b1f12e24360dad5c6feba319af7e12e2cf72fc1 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Fri, 6 Aug 2021 17:14:58 +0200 +Subject: [PATCH 25/39] Switch manual DSA key generation to param API + +This is very similar to the DH case, with the primary difference +that priv_key is ignored if pub_key is not given, rather than +generating pub_key from priv_key. Would be nice if these worked +the same (in which case we should probably also unify the keygen +for FFC algorithms, as it's very similar). + +(cherry picked from commit 2bf316fdfc0cfc4b6a5e27c9a13274d01b4b298f) +--- + ext/openssl/openssl.c | 126 ++++++++++++++++++++++++++++++++++-------- + 1 file changed, 102 insertions(+), 24 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 06e5adecda..84a4083807 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3844,8 +3844,8 @@ static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, + return 1; + } + +-/* {{{ php_openssl_pkey_init_dsa */ +-static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data, bool *is_private) ++#if PHP_OPENSSL_API_VERSION < 0x30000 ++static zend_bool php_openssl_pkey_init_legacy_dsa(DSA *dsa, zval *data, bool *is_private) + { + BIGNUM *p, *q, *g, *priv_key, *pub_key; + const BIGNUM *priv_key_const, *pub_key_const; +@@ -3878,9 +3878,102 @@ static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data, bool *is_privat + return 0; + } + /* all good */ ++ *is_private = true; + return 1; + } +-/* }}} */ ++#endif ++ ++static EVP_PKEY *php_openssl_pkey_init_dsa(zval *data, bool *is_private) ++{ ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv_key = NULL, *pub_key = NULL; ++ EVP_PKEY *param_key = NULL, *pkey = NULL; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, NULL); ++ OSSL_PARAM *params = NULL; ++ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); ++ ++ OPENSSL_PKEY_SET_BN(data, p); ++ OPENSSL_PKEY_SET_BN(data, q); ++ OPENSSL_PKEY_SET_BN(data, g); ++ OPENSSL_PKEY_SET_BN(data, priv_key); ++ OPENSSL_PKEY_SET_BN(data, pub_key); ++ ++ if (!ctx || !bld || !p || !q || !g) { ++ goto cleanup; ++ } ++ ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p); ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q); ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g); ++ // TODO: We silently ignore priv_key if pub_key is not given, unlike in the DH case. ++ if (pub_key) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key); ++ if (priv_key) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key); ++ } ++ } ++ ++ params = OSSL_PARAM_BLD_to_param(bld); ++ if (!params) { ++ goto cleanup; ++ } ++ ++ if (EVP_PKEY_fromdata_init(ctx) <= 0 || ++ EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) { ++ goto cleanup; ++ } ++ ++ if (pub_key) { ++ *is_private = priv_key != NULL; ++ EVP_PKEY_up_ref(param_key); ++ pkey = param_key; ++ } else { ++ *is_private = true; ++ PHP_OPENSSL_RAND_ADD_TIME(); ++ EVP_PKEY_CTX_free(ctx); ++ ctx = EVP_PKEY_CTX_new(param_key, NULL); ++ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) { ++ goto cleanup; ++ } ++ } ++ ++cleanup: ++ php_openssl_store_errors(); ++ EVP_PKEY_free(param_key); ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(bld); ++ BN_free(p); ++ BN_free(q); ++ BN_free(g); ++ BN_free(priv_key); ++ BN_free(pub_key); ++ return pkey; ++#else ++ EVP_PKEY *pkey = EVP_PKEY_new(); ++ if (!pkey) { ++ php_openssl_store_errors(); ++ return NULL; ++ } ++ ++ DSA *dsa = DSA_new(); ++ if (!dsa) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(pkey); ++ return NULL; ++ } ++ ++ if (!php_openssl_pkey_init_legacy_dsa(dsa, data, is_private) ++ || !EVP_PKEY_assign_DSA(pkey, dsa)) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(pkey); ++ DSA_free(dsa); ++ return NULL; ++ } ++ ++ return pkey; ++#endif ++} + + /* {{{ php_openssl_dh_pub_from_priv */ + static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM *p) +@@ -4095,28 +4188,13 @@ PHP_FUNCTION(openssl_pkey_new) + RETURN_FALSE; + } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dsa", sizeof("dsa") - 1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { +- pkey = EVP_PKEY_new(); +- if (pkey) { +- DSA *dsa = DSA_new(); +- if (dsa) { +- bool is_private; +- if (php_openssl_pkey_init_dsa(dsa, data, &is_private)) { +- if (EVP_PKEY_assign_DSA(pkey, dsa)) { +- php_openssl_pkey_object_init(return_value, pkey, is_private); +- return; +- } else { +- php_openssl_store_errors(); +- } +- } +- DSA_free(dsa); +- } else { +- php_openssl_store_errors(); +- } +- EVP_PKEY_free(pkey); +- } else { +- php_openssl_store_errors(); ++ bool is_private; ++ pkey = php_openssl_pkey_init_dsa(data, &is_private); ++ if (!pkey) { ++ RETURN_FALSE; + } +- RETURN_FALSE; ++ php_openssl_pkey_object_init(return_value, pkey, is_private); ++ return; + } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dh", sizeof("dh") - 1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { + bool is_private; +-- +2.31.1 + +From d20cf6a278be5561debcd5ce0cc34a6046eac669 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Sun, 8 Aug 2021 17:39:06 +0200 +Subject: [PATCH 26/39] Use OpenSSL NCONF APIs (#7337) + +(cherry picked from commit 94bc5fce261a4a56a545bdfb25d5c2452a07de08) +--- + ext/openssl/openssl.c | 66 +++++++++++++++++++++++-------------------- + 1 file changed, 36 insertions(+), 30 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 84a4083807..1dda83f71e 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -500,8 +500,8 @@ int php_openssl_get_ssl_stream_data_index() + static char default_ssl_conf_filename[MAXPATHLEN]; + + struct php_x509_request { /* {{{ */ +- LHASH_OF(CONF_VALUE) * global_config; /* Global SSL config */ +- LHASH_OF(CONF_VALUE) * req_config; /* SSL config for this request */ ++ CONF *global_config; /* Global SSL config */ ++ CONF *req_config; /* SSL config for this request */ + const EVP_MD * md_alg; + const EVP_MD * digest; + char * section_name, +@@ -712,13 +712,13 @@ static time_t php_openssl_asn1_time_to_time_t(ASN1_UTCTIME * timestr) /* {{{ */ + } + /* }}} */ + +-static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, LHASH_OF(CONF_VALUE) * config) /* {{{ */ ++static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, CONF *config) /* {{{ */ + { + X509V3_CTX ctx; + + X509V3_set_ctx_test(&ctx); +- X509V3_set_conf_lhash(&ctx, config); +- if (!X509V3_EXT_add_conf(config, &ctx, (char *)section, NULL)) { ++ X509V3_set_nconf(&ctx, config); ++ if (!X509V3_EXT_add_nconf(config, &ctx, (char *)section, NULL)) { + php_openssl_store_errors(); + php_error_docref(NULL, E_WARNING, "Error loading %s section %s of %s", + section_label, +@@ -730,17 +730,24 @@ static inline int php_openssl_config_check_syntax(const char * section_label, co + } + /* }}} */ + +-static char *php_openssl_conf_get_string( +- LHASH_OF(CONF_VALUE) *conf, const char *group, const char *name) { +- char *str = CONF_get_string(conf, group, name); +- if (str == NULL) { +- /* OpenSSL reports an error if a configuration value is not found. +- * However, we don't want to generate errors for optional configuration. */ +- ERR_clear_error(); +- } ++static char *php_openssl_conf_get_string(CONF *conf, const char *group, const char *name) { ++ /* OpenSSL reports an error if a configuration value is not found. ++ * However, we don't want to generate errors for optional configuration. */ ++ ERR_set_mark(); ++ char *str = NCONF_get_string(conf, group, name); ++ ERR_pop_to_mark(); + return str; + } + ++static long php_openssl_conf_get_number(CONF *conf, const char *group, const char *name) { ++ /* Same here, ignore errors. */ ++ long res = 0; ++ ERR_set_mark(); ++ NCONF_get_number(conf, group, name, &res); ++ ERR_pop_to_mark(); ++ return res; ++} ++ + static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */ + { + char * str; +@@ -752,7 +759,7 @@ static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */ + if (str == NULL) { + return SUCCESS; + } +- sktmp = CONF_get_section(req->req_config, str); ++ sktmp = NCONF_get_section(req->req_config, str); + if (sktmp == NULL) { + php_openssl_store_errors(); + php_error_docref(NULL, E_WARNING, "Problem loading oid section %s", str); +@@ -823,13 +830,13 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option + + SET_OPTIONAL_STRING_ARG("config", req->config_filename, default_ssl_conf_filename); + SET_OPTIONAL_STRING_ARG("config_section_name", req->section_name, "req"); +- req->global_config = CONF_load(NULL, default_ssl_conf_filename, NULL); +- if (req->global_config == NULL) { ++ req->global_config = NCONF_new(NULL); ++ if (!NCONF_load(req->global_config, default_ssl_conf_filename, NULL)) { + php_openssl_store_errors(); + } +- req->req_config = CONF_load(NULL, req->config_filename, NULL); +- if (req->req_config == NULL) { +- php_openssl_store_errors(); ++ ++ req->req_config = NCONF_new(NULL); ++ if (!NCONF_load(req->req_config, req->config_filename, NULL)) { + return FAILURE; + } + +@@ -853,8 +860,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option + SET_OPTIONAL_STRING_ARG("req_extensions", req->request_extensions_section, + php_openssl_conf_get_string(req->req_config, req->section_name, "req_extensions")); + SET_OPTIONAL_LONG_ARG("private_key_bits", req->priv_key_bits, +- CONF_get_number(req->req_config, req->section_name, "default_bits")); +- ++ php_openssl_conf_get_number(req->req_config, req->section_name, "default_bits")); + SET_OPTIONAL_LONG_ARG("private_key_type", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT); + + if (optional_args && (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key")-1)) != NULL) { +@@ -934,11 +940,11 @@ static void php_openssl_dispose_config(struct php_x509_request * req) /* {{{ */ + req->priv_key = NULL; + } + if (req->global_config) { +- CONF_free(req->global_config); ++ NCONF_free(req->global_config); + req->global_config = NULL; + } + if (req->req_config) { +- CONF_free(req->req_config); ++ NCONF_free(req->req_config); + req->req_config = NULL; + } + } +@@ -2844,12 +2850,12 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z + STACK_OF(CONF_VALUE) * dn_sk, *attr_sk = NULL; + char * str, *dn_sect, *attr_sect; + +- dn_sect = CONF_get_string(req->req_config, req->section_name, "distinguished_name"); ++ dn_sect = NCONF_get_string(req->req_config, req->section_name, "distinguished_name"); + if (dn_sect == NULL) { + php_openssl_store_errors(); + return FAILURE; + } +- dn_sk = CONF_get_section(req->req_config, dn_sect); ++ dn_sk = NCONF_get_section(req->req_config, dn_sect); + if (dn_sk == NULL) { + php_openssl_store_errors(); + return FAILURE; +@@ -2858,7 +2864,7 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z + if (attr_sect == NULL) { + attr_sk = NULL; + } else { +- attr_sk = CONF_get_section(req->req_config, attr_sect); ++ attr_sk = NCONF_get_section(req->req_config, attr_sect); + if (attr_sk == NULL) { + php_openssl_store_errors(); + return FAILURE; +@@ -3275,8 +3281,8 @@ PHP_FUNCTION(openssl_csr_sign) + X509V3_CTX ctx; + + X509V3_set_ctx(&ctx, cert, new_cert, csr, NULL, 0); +- X509V3_set_conf_lhash(&ctx, req.req_config); +- if (!X509V3_EXT_add_conf(req.req_config, &ctx, req.extensions_section, new_cert)) { ++ X509V3_set_nconf(&ctx, req.req_config); ++ if (!X509V3_EXT_add_nconf(req.req_config, &ctx, req.extensions_section, new_cert)) { + php_openssl_store_errors(); + goto cleanup; + } +@@ -3349,10 +3355,10 @@ PHP_FUNCTION(openssl_csr_new) + X509V3_CTX ext_ctx; + + X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, 0); +- X509V3_set_conf_lhash(&ext_ctx, req.req_config); ++ X509V3_set_nconf(&ext_ctx, req.req_config); + + /* Add extensions */ +- if (req.request_extensions_section && !X509V3_EXT_REQ_add_conf(req.req_config, ++ if (req.request_extensions_section && !X509V3_EXT_REQ_add_nconf(req.req_config, + &ext_ctx, req.request_extensions_section, csr)) + { + php_openssl_store_errors(); +-- +2.31.1 + +From 575c8ddf73c4a343139be225596c5101497e3186 Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka <bukka@php.net> +Date: Sun, 8 Aug 2021 20:54:46 +0100 +Subject: [PATCH 27/39] Make CertificateGenerator not dependent on external + config in OpenSSL 3.0 + +(cherry picked from commit c90c9c7545427d9d35cbac45c4ec896f54619744) +--- + ext/openssl/tests/CertificateGenerator.inc | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/ext/openssl/tests/CertificateGenerator.inc b/ext/openssl/tests/CertificateGenerator.inc +index 1dc378e706..4783353a47 100644 +--- a/ext/openssl/tests/CertificateGenerator.inc ++++ b/ext/openssl/tests/CertificateGenerator.inc +@@ -65,7 +65,10 @@ class CertificateGenerator + ), + null, + $this->caKey, +- 2 ++ 2, ++ [ ++ 'config' => self::CONFIG, ++ ] + ); + } + +@@ -101,6 +104,7 @@ class CertificateGenerator + [ req ] + distinguished_name = req_distinguished_name + default_md = sha256 ++default_bits = 1024 + + [ req_distinguished_name ] + +@@ -124,8 +128,9 @@ CONFIG; + ]; + + $this->lastKey = self::generateKey($keyLength); ++ $csr = openssl_csr_new($dn, $this->lastKey, $config); + $this->lastCert = openssl_csr_sign( +- openssl_csr_new($dn, $this->lastKey, $config), ++ $csr, + $this->ca, + $this->caKey, + /* days */ 2, +@@ -139,7 +144,7 @@ CONFIG; + openssl_x509_export($this->lastCert, $certText); + + $keyText = ''; +- openssl_pkey_export($this->lastKey, $keyText); ++ openssl_pkey_export($this->lastKey, $keyText, null, $config); + + file_put_contents($file, $certText . PHP_EOL . $keyText); + } finally { +-- +2.31.1 + +From 4da1bade85b14bd1f0aa9cf9f463931de54de2ef Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Mon, 9 Aug 2021 10:26:12 +0200 +Subject: [PATCH 28/39] Extract EC key initialization + +(cherry picked from commit 14d7c7e9aee5ab55a92ddc626b7b81c130ea7618) +--- + ext/openssl/openssl.c | 239 ++++++++++++++++++++++-------------------- + 1 file changed, 126 insertions(+), 113 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 1dda83f71e..a595101cf6 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4158,6 +4158,126 @@ cleanup: + #endif + } + ++#ifdef HAVE_EVP_PKEY_EC ++static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_private) { ++ EC_GROUP *group = NULL; ++ EC_POINT *pnt = NULL; ++ BIGNUM *d = NULL; ++ zval *bn; ++ zval *x; ++ zval *y; ++ ++ if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1)) != NULL && ++ Z_TYPE_P(bn) == IS_STRING) { ++ int nid = OBJ_sn2nid(Z_STRVAL_P(bn)); ++ if (nid != NID_undef) { ++ group = EC_GROUP_new_by_curve_name(nid); ++ if (!group) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); ++ EC_GROUP_set_point_conversion_form(group, POINT_CONVERSION_UNCOMPRESSED); ++ if (!EC_KEY_set_group(eckey, group)) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ } ++ } ++ ++ if (group == NULL) { ++ php_error_docref(NULL, E_WARNING, "Unknown curve name"); ++ goto clean_exit; ++ } ++ ++ // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y' ++ *is_private = false; ++ if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL && ++ Z_TYPE_P(bn) == IS_STRING) { ++ *is_private = true; ++ d = BN_bin2bn((unsigned char*) Z_STRVAL_P(bn), Z_STRLEN_P(bn), NULL); ++ if (!EC_KEY_set_private_key(eckey, d)) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ // Calculate the public key by multiplying the Point Q with the public key ++ // P = d * Q ++ pnt = EC_POINT_new(group); ++ if (!pnt || !EC_POINT_mul(group, pnt, d, NULL, NULL, NULL)) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ ++ BN_free(d); ++ } else if ((x = zend_hash_str_find(Z_ARRVAL_P(data), "x", sizeof("x") - 1)) != NULL && ++ Z_TYPE_P(x) == IS_STRING && ++ (y = zend_hash_str_find(Z_ARRVAL_P(data), "y", sizeof("y") - 1)) != NULL && ++ Z_TYPE_P(y) == IS_STRING) { ++ pnt = EC_POINT_new(group); ++ if (pnt == NULL) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ if (!EC_POINT_set_affine_coordinates_GFp( ++ group, pnt, BN_bin2bn((unsigned char*) Z_STRVAL_P(x), Z_STRLEN_P(x), NULL), ++ BN_bin2bn((unsigned char*) Z_STRVAL_P(y), Z_STRLEN_P(y), NULL), NULL)) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ } ++ ++ if (pnt != NULL) { ++ if (!EC_KEY_set_public_key(eckey, pnt)) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ EC_POINT_free(pnt); ++ pnt = NULL; ++ } ++ ++ if (!EC_KEY_check_key(eckey)) { ++ PHP_OPENSSL_RAND_ADD_TIME(); ++ EC_KEY_generate_key(eckey); ++ php_openssl_store_errors(); ++ } ++ if (EC_KEY_check_key(eckey)) { ++ return true; ++ } else { ++ php_openssl_store_errors(); ++ } ++ ++clean_exit: ++ BN_free(d); ++ EC_POINT_free(pnt); ++ EC_GROUP_free(group); ++ return false; ++} ++ ++static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { ++ EVP_PKEY *pkey = EVP_PKEY_new(); ++ if (!pkey) { ++ php_openssl_store_errors(); ++ return NULL; ++ } ++ ++ EC_KEY *ec = EC_KEY_new(); ++ if (!ec) { ++ EVP_PKEY_free(pkey); ++ return NULL; ++ } ++ ++ if (!php_openssl_pkey_init_legacy_ec(ec, data, is_private) ++ || !EVP_PKEY_assign_EC_KEY(pkey, ec)) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(pkey); ++ EC_KEY_free(ec); ++ return NULL; ++ } ++ ++ return pkey; ++} ++#endif ++ + /* {{{ Generates a new private key */ + PHP_FUNCTION(openssl_pkey_new) + { +@@ -4213,120 +4333,13 @@ PHP_FUNCTION(openssl_pkey_new) + #ifdef HAVE_EVP_PKEY_EC + } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "ec", sizeof("ec") - 1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { +- EC_KEY *eckey = NULL; +- EC_GROUP *group = NULL; +- EC_POINT *pnt = NULL; +- BIGNUM *d = NULL; +- pkey = EVP_PKEY_new(); +- if (pkey) { +- eckey = EC_KEY_new(); +- if (eckey) { +- bool is_private = false; +- EC_GROUP *group = NULL; +- zval *bn; +- zval *x; +- zval *y; +- +- if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1)) != NULL && +- Z_TYPE_P(bn) == IS_STRING) { +- int nid = OBJ_sn2nid(Z_STRVAL_P(bn)); +- if (nid != NID_undef) { +- group = EC_GROUP_new_by_curve_name(nid); +- if (!group) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); +- EC_GROUP_set_point_conversion_form(group, POINT_CONVERSION_UNCOMPRESSED); +- if (!EC_KEY_set_group(eckey, group)) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- } +- } +- +- if (group == NULL) { +- php_error_docref(NULL, E_WARNING, "Unknown curve name"); +- goto clean_exit; +- } +- +- // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y' +- if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL && +- Z_TYPE_P(bn) == IS_STRING) { +- is_private = true; +- d = BN_bin2bn((unsigned char*) Z_STRVAL_P(bn), Z_STRLEN_P(bn), NULL); +- if (!EC_KEY_set_private_key(eckey, d)) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- // Calculate the public key by multiplying the Point Q with the public key +- // P = d * Q +- pnt = EC_POINT_new(group); +- if (!pnt || !EC_POINT_mul(group, pnt, d, NULL, NULL, NULL)) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- +- BN_free(d); +- } else if ((x = zend_hash_str_find(Z_ARRVAL_P(data), "x", sizeof("x") - 1)) != NULL && +- Z_TYPE_P(x) == IS_STRING && +- (y = zend_hash_str_find(Z_ARRVAL_P(data), "y", sizeof("y") - 1)) != NULL && +- Z_TYPE_P(y) == IS_STRING) { +- pnt = EC_POINT_new(group); +- if (pnt == NULL) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- if (!EC_POINT_set_affine_coordinates_GFp( +- group, pnt, BN_bin2bn((unsigned char*) Z_STRVAL_P(x), Z_STRLEN_P(x), NULL), +- BN_bin2bn((unsigned char*) Z_STRVAL_P(y), Z_STRLEN_P(y), NULL), NULL)) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- } +- +- if (pnt != NULL) { +- if (!EC_KEY_set_public_key(eckey, pnt)) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- EC_POINT_free(pnt); +- pnt = NULL; +- } +- +- if (!EC_KEY_check_key(eckey)) { +- PHP_OPENSSL_RAND_ADD_TIME(); +- EC_KEY_generate_key(eckey); +- php_openssl_store_errors(); +- } +- if (EC_KEY_check_key(eckey) && EVP_PKEY_assign_EC_KEY(pkey, eckey)) { +- EC_GROUP_free(group); +- php_openssl_pkey_object_init(return_value, pkey, is_private); +- return; +- } else { +- php_openssl_store_errors(); +- } +- } else { +- php_openssl_store_errors(); +- } +- } else { +- php_openssl_store_errors(); +- } +-clean_exit: +- if (d != NULL) { +- BN_free(d); +- } +- if (pnt != NULL) { +- EC_POINT_free(pnt); +- } +- if (group != NULL) { +- EC_GROUP_free(group); +- } +- if (eckey != NULL) { +- EC_KEY_free(eckey); ++ bool is_private; ++ pkey = php_openssl_pkey_init_ec(data, &is_private); ++ if (!pkey) { ++ RETURN_FALSE; + } +- EVP_PKEY_free(pkey); +- RETURN_FALSE; ++ php_openssl_pkey_object_init(return_value, pkey, is_private); ++ return; + #endif + } + } +-- +2.31.1 + +From 0b12c49898ef390ce53e33490a842fd384de6902 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Mon, 9 Aug 2021 12:01:35 +0200 +Subject: [PATCH 29/39] Test calculation of EC public key from private key + +(cherry picked from commit 246698671f941b2034518ab04f35009b2da77bb1) +--- + ext/openssl/tests/ecc.phpt | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/ext/openssl/tests/ecc.phpt b/ext/openssl/tests/ecc.phpt +index 0a71393ae3..0b05410c2c 100644 +--- a/ext/openssl/tests/ecc.phpt ++++ b/ext/openssl/tests/ecc.phpt +@@ -33,6 +33,16 @@ $d2 = openssl_pkey_get_details($key2); + // Compare array + var_dump($d1 === $d2); + ++// Check that the public key info is computed from the private key if it is missing. ++$d1_priv = $d1; ++unset($d1_priv["ec"]["x"]); ++unset($d1_priv["ec"]["y"]); ++ ++$key3 = openssl_pkey_new($d1_priv); ++var_dump($key3); ++$d3 = openssl_pkey_get_details($key3); ++var_dump($d1 === $d3); ++ + $dn = array( + "countryName" => "BR", + "stateOrProvinceName" => "Rio Grande do Sul", +@@ -93,6 +103,9 @@ bool(true) + object(OpenSSLAsymmetricKey)#%d (0) { + } + bool(true) ++object(OpenSSLAsymmetricKey)#%d (0) { ++} ++bool(true) + Testing openssl_csr_new with key generation + NULL + object(OpenSSLAsymmetricKey)#%d (0) { +-- +2.31.1 + +From 6b6b7c28dc81e106f6a1ef96d1f4bc43901764cf Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Mon, 9 Aug 2021 11:12:20 +0200 +Subject: [PATCH 30/39] Use param API for creating EC keys + +Rather than the deprecated low level APIs. + +(cherry picked from commit f9e701cde813fad4e1f647e63750c0b9bdeadb4e) +--- + ext/openssl/openssl.c | 96 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 96 insertions(+) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index a595101cf6..df057caa8b 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4159,6 +4159,7 @@ cleanup: + } + + #ifdef HAVE_EVP_PKEY_EC ++#if PHP_OPENSSL_API_VERSION < 0x30000 + static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_private) { + EC_GROUP *group = NULL; + EC_POINT *pnt = NULL; +@@ -4236,6 +4237,7 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_ + } + + if (!EC_KEY_check_key(eckey)) { ++ *is_private = true; + PHP_OPENSSL_RAND_ADD_TIME(); + EC_KEY_generate_key(eckey); + php_openssl_store_errors(); +@@ -4252,8 +4254,101 @@ clean_exit: + EC_GROUP_free(group); + return false; + } ++#endif + + static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ BIGNUM *d = NULL, *x = NULL, *y = NULL; ++ EC_GROUP *group = NULL; ++ EC_POINT *pnt = NULL; ++ char *pnt_oct = NULL; ++ EVP_PKEY *param_key = NULL, *pkey = NULL; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); ++ OSSL_PARAM *params = NULL; ++ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); ++ zval *curve_name_zv = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1); ++ ++ OPENSSL_PKEY_SET_BN(data, d); ++ OPENSSL_PKEY_SET_BN(data, x); ++ OPENSSL_PKEY_SET_BN(data, y); ++ ++ if (!ctx || !bld || !curve_name_zv || Z_TYPE_P(curve_name_zv) != IS_STRING) { ++ goto cleanup; ++ } ++ ++ int nid = OBJ_sn2nid(Z_STRVAL_P(curve_name_zv)); ++ group = EC_GROUP_new_by_curve_name(nid); ++ if (!group) { ++ php_error_docref(NULL, E_WARNING, "Unknown curve name"); ++ goto cleanup; ++ } ++ ++ OSSL_PARAM_BLD_push_utf8_string( ++ bld, OSSL_PKEY_PARAM_GROUP_NAME, Z_STRVAL_P(curve_name_zv), Z_STRLEN_P(curve_name_zv)); ++ ++ if (d) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, d); ++ ++ pnt = EC_POINT_new(group); ++ if (!pnt || !EC_POINT_mul(group, pnt, d, NULL, NULL, NULL)) { ++ goto cleanup; ++ } ++ } else if (x && y) { ++ /* OpenSSL does not allow setting EC_PUB_X/EC_PUB_Y, so convert to encoded format. */ ++ pnt = EC_POINT_new(group); ++ if (!pnt || !EC_POINT_set_affine_coordinates(group, pnt, x, y, NULL)) { ++ goto cleanup; ++ } ++ } ++ ++ if (pnt) { ++ size_t pnt_oct_len = ++ EC_POINT_point2buf(group, pnt, POINT_CONVERSION_COMPRESSED, &pnt_oct, NULL); ++ if (!pnt_oct_len) { ++ goto cleanup; ++ } ++ ++ OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, pnt_oct, pnt_oct_len); ++ } ++ ++ params = OSSL_PARAM_BLD_to_param(bld); ++ if (!params) { ++ goto cleanup; ++ } ++ ++ if (EVP_PKEY_fromdata_init(ctx) <= 0 || ++ EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) { ++ goto cleanup; ++ } ++ ++ EVP_PKEY_CTX_free(ctx); ++ ctx = EVP_PKEY_CTX_new(param_key, NULL); ++ if (EVP_PKEY_check(ctx)) { ++ *is_private = d != NULL; ++ EVP_PKEY_up_ref(param_key); ++ pkey = param_key; ++ } else { ++ *is_private = true; ++ PHP_OPENSSL_RAND_ADD_TIME(); ++ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) { ++ goto cleanup; ++ } ++ } ++ ++cleanup: ++ php_openssl_store_errors(); ++ EVP_PKEY_free(param_key); ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(bld); ++ EC_POINT_free(pnt); ++ EC_GROUP_free(group); ++ OPENSSL_free(pnt_oct); ++ BN_free(d); ++ BN_free(x); ++ BN_free(y); ++ return pkey; ++#else + EVP_PKEY *pkey = EVP_PKEY_new(); + if (!pkey) { + php_openssl_store_errors(); +@@ -4275,6 +4370,7 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { + } + + return pkey; ++#endif + } + #endif + +-- +2.31.1 + +From ab4d43be04953eb75b37d532ac5fe42f0464f1be Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Mon, 9 Aug 2021 14:19:33 +0200 +Subject: [PATCH 31/39] Extract public key portion via PEM roundtrip + +The workaround with cloning the X509_REQ no longer works in +OpenSSL 3. Instead extract the public key portion by round +tripping through PEM. + +(cherry picked from commit 26a51e8d7a6026f6bd69813d044785d154a296a3) +--- + ext/openssl/openssl.c | 43 +++++++++++++++++++------------------------ + 1 file changed, 19 insertions(+), 24 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index df057caa8b..e86e99c73f 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3430,49 +3430,44 @@ PHP_FUNCTION(openssl_csr_get_subject) + } + /* }}} */ + ++static EVP_PKEY *php_openssl_extract_public_key(EVP_PKEY *priv_key) ++{ ++ /* Extract public key portion by round-tripping through PEM. */ ++ BIO *bio = BIO_new(BIO_s_mem()); ++ if (!bio || !PEM_write_bio_PUBKEY(bio, priv_key)) { ++ BIO_free(bio); ++ return NULL; ++ } ++ ++ EVP_PKEY *pub_key = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL); ++ BIO_free(bio); ++ return pub_key; ++} ++ + /* {{{ Returns the subject of a CERT or FALSE on error */ + PHP_FUNCTION(openssl_csr_get_public_key) + { +- X509_REQ *orig_csr, *csr; + zend_object *csr_obj; + zend_string *csr_str; + zend_bool use_shortnames = 1; + +- EVP_PKEY *tpubkey; +- + ZEND_PARSE_PARAMETERS_START(1, 2) + Z_PARAM_OBJ_OF_CLASS_OR_STR(csr_obj, php_openssl_request_ce, csr_str) + Z_PARAM_OPTIONAL + Z_PARAM_BOOL(use_shortnames) + ZEND_PARSE_PARAMETERS_END(); + +- orig_csr = php_openssl_csr_from_param(csr_obj, csr_str); +- if (orig_csr == NULL) { ++ X509_REQ *csr = php_openssl_csr_from_param(csr_obj, csr_str); ++ if (csr == NULL) { + RETURN_FALSE; + } + +-#if PHP_OPENSSL_API_VERSION >= 0x10100 +- /* Due to changes in OpenSSL 1.1 related to locking when decoding CSR, +- * the pub key is not changed after assigning. It means if we pass +- * a private key, it will be returned including the private part. +- * If we duplicate it, then we get just the public part which is +- * the same behavior as for OpenSSL 1.0 */ +- csr = X509_REQ_dup(orig_csr); +-#else +- csr = orig_csr; +-#endif +- + /* Retrieve the public key from the CSR */ +- tpubkey = X509_REQ_get_pubkey(csr); +- +- if (csr != orig_csr) { +- /* We need to free the duplicated CSR */ +- X509_REQ_free(csr); +- } ++ EVP_PKEY *tpubkey = php_openssl_extract_public_key(X509_REQ_get_pubkey(csr)); + + if (csr_str) { +- /* We also need to free the original CSR if it was freshly created */ +- X509_REQ_free(orig_csr); ++ /* We need to free the original CSR if it was freshly created */ ++ X509_REQ_free(csr); + } + + if (tpubkey == NULL) { +-- +2.31.1 + +From 7939ffbdcc8d3358306653d7343f2b70204824f9 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Fri, 6 Aug 2021 12:08:07 +0200 +Subject: [PATCH 32/39] Use param API for openssl_pkey_get_details() + +Now that the DSA/DH/EC keys are not created using the legacy API, +we can fetch the details using the param API as well, and not +run into buggy priv_key handling. + +(cherry picked from commit 6db2c2dbe7a02055e2798e503ccde4b151b7cabf) +--- + ext/openssl/openssl.c | 123 ++++++++++++++++++++++++++++++++++++------ + 1 file changed, 106 insertions(+), 17 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index e86e99c73f..40f05da9f2 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3788,17 +3788,17 @@ cleanup: + } + /* }}} */ + +-#define OPENSSL_GET_BN(_array, _bn, _name) do { \ +- if (_bn != NULL) { \ +- int len = BN_num_bytes(_bn); \ +- zend_string *str = zend_string_alloc(len, 0); \ +- BN_bn2bin(_bn, (unsigned char*)ZSTR_VAL(str)); \ +- ZSTR_VAL(str)[len] = 0; \ +- add_assoc_str(&_array, #_name, str); \ +- } \ +- } while (0); ++static void php_openssl_add_bn_to_array(zval *ary, const BIGNUM *bn, const char *name) { ++ if (bn != NULL) { ++ int len = BN_num_bytes(bn); ++ zend_string *str = zend_string_alloc(len, 0); ++ BN_bn2bin(bn, (unsigned char *)ZSTR_VAL(str)); ++ ZSTR_VAL(str)[len] = 0; ++ add_assoc_str(ary, name, str); ++ } ++} + +-#define OPENSSL_PKEY_GET_BN(_type, _name) OPENSSL_GET_BN(_type, _name, _name) ++#define OPENSSL_PKEY_GET_BN(_type, _name) php_openssl_add_bn_to_array(&_type, _name, #_name) + + #define OPENSSL_PKEY_SET_BN(_data, _name) do { \ + zval *bn; \ +@@ -4639,12 +4639,34 @@ PHP_FUNCTION(openssl_pkey_get_private) + + /* }}} */ + ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++static void php_openssl_copy_bn_param( ++ zval *ary, EVP_PKEY *pkey, const char *param, const char *name) { ++ BIGNUM *bn = NULL; ++ if (EVP_PKEY_get_bn_param(pkey, param, &bn) > 0) { ++ php_openssl_add_bn_to_array(ary, bn, name); ++ BN_free(bn); ++ } ++} ++ ++static zend_string *php_openssl_get_utf8_param( ++ EVP_PKEY *pkey, const char *param, const char *name) { ++ char buf[64]; ++ size_t len; ++ if (EVP_PKEY_get_utf8_string_param(pkey, param, buf, sizeof(buf), &len) > 0) { ++ zend_string *str = zend_string_alloc(len, 0); ++ memcpy(ZSTR_VAL(str), buf, len); ++ ZSTR_VAL(str)[len] = '\0'; ++ return str; ++ } ++ return NULL; ++} ++#endif ++ + /* {{{ returns an array with the key details (bits, pkey, type)*/ + PHP_FUNCTION(openssl_pkey_get_details) + { + zval *key; +- EVP_PKEY *pkey; +- BIO *out; + unsigned int pbio_len; + char *pbio; + zend_long ktype; +@@ -4653,9 +4675,9 @@ PHP_FUNCTION(openssl_pkey_get_details) + RETURN_THROWS(); + } + +- pkey = Z_OPENSSL_PKEY_P(key)->pkey; ++ EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey; + +- out = BIO_new(BIO_s_mem()); ++ BIO *out = BIO_new(BIO_s_mem()); + if (!PEM_write_bio_PUBKEY(out, pkey)) { + BIO_free(out); + php_openssl_store_errors(); +@@ -4669,6 +4691,72 @@ PHP_FUNCTION(openssl_pkey_get_details) + /*TODO: Use the real values once the openssl constants are used + * See the enum at the top of this file + */ ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ zval ary; ++ switch (EVP_PKEY_base_id(pkey)) { ++ case EVP_PKEY_RSA: ++ ktype = OPENSSL_KEYTYPE_RSA; ++ array_init(&ary); ++ add_assoc_zval(return_value, "rsa", &ary); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_N, "n"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_E, "e"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_D, "d"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, "p"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, "q"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, "dmp1"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, "dmq1"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, "iqmp"); ++ break; ++ case EVP_PKEY_DSA: ++ ktype = OPENSSL_KEYTYPE_DSA; ++ array_init(&ary); ++ add_assoc_zval(return_value, "dsa", &ary); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_P, "p"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_Q, "q"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_G, "g"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "priv_key"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PUB_KEY, "pub_key"); ++ break; ++ case EVP_PKEY_DH: ++ ktype = OPENSSL_KEYTYPE_DH; ++ array_init(&ary); ++ add_assoc_zval(return_value, "dh", &ary); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_P, "p"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_G, "g"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "priv_key"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PUB_KEY, "pub_key"); ++ break; ++ case EVP_PKEY_EC: { ++ ktype = OPENSSL_KEYTYPE_EC; ++ array_init(&ary); ++ add_assoc_zval(return_value, "ec", &ary); ++ ++ zend_string *curve_name = php_openssl_get_utf8_param( ++ pkey, OSSL_PKEY_PARAM_GROUP_NAME, "curve_name"); ++ if (curve_name) { ++ add_assoc_str(&ary, "curve_name", curve_name); ++ ++ int nid = OBJ_sn2nid(ZSTR_VAL(curve_name)); ++ if (nid != NID_undef) { ++ ASN1_OBJECT *obj = OBJ_nid2obj(nid); ++ if (obj) { ++ // OpenSSL recommends a buffer length of 80. ++ char oir_buf[80]; ++ int oir_len = OBJ_obj2txt(oir_buf, sizeof(oir_buf), obj, 1); ++ add_assoc_stringl(&ary, "curve_oid", oir_buf, oir_len); ++ ASN1_OBJECT_free(obj); ++ } ++ } ++ } ++ ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_EC_PUB_X, "x"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_EC_PUB_Y, "y"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "d"); ++ break; ++ } ++ EMPTY_SWITCH_DEFAULT_CASE(); ++ } ++#else + switch (EVP_PKEY_base_id(pkey)) { + case EVP_PKEY_RSA: + case EVP_PKEY_RSA2: +@@ -4785,14 +4873,14 @@ PHP_FUNCTION(openssl_pkey_get_details) + pub = EC_KEY_get0_public_key(ec_key); + + if (EC_POINT_get_affine_coordinates_GFp(ec_group, pub, x, y, NULL)) { +- OPENSSL_GET_BN(ec, x, x); +- OPENSSL_GET_BN(ec, y, y); ++ php_openssl_add_bn_to_array(&ec, x, "x"); ++ php_openssl_add_bn_to_array(&ec, y, "y"); + } else { + php_openssl_store_errors(); + } + + if ((d = EC_KEY_get0_private_key(EVP_PKEY_get0_EC_KEY(pkey))) != NULL) { +- OPENSSL_GET_BN(ec, d, d); ++ php_openssl_add_bn_to_array(&ec, d, "d"); + } + + add_assoc_zval(return_value, "ec", &ec); +@@ -4806,6 +4894,7 @@ PHP_FUNCTION(openssl_pkey_get_details) + ktype = -1; + break; + } ++#endif + add_assoc_long(return_value, "type", ktype); + + BIO_free(out); +-- +2.31.1 + +From 35012d2b29254b806e5f376817d22f6c3bab136d Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Mon, 9 Aug 2021 14:34:12 +0200 +Subject: [PATCH 33/39] Add missing unsigned qualifier + +This previously got lost in the deprecation warning noise. + +(cherry picked from commit ff2a39e6fcbd9a3bd7f411168b19711a4be9a2a4) +--- + ext/openssl/openssl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 40f05da9f2..856d7fc4af 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4256,7 +4256,7 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { + BIGNUM *d = NULL, *x = NULL, *y = NULL; + EC_GROUP *group = NULL; + EC_POINT *pnt = NULL; +- char *pnt_oct = NULL; ++ unsigned char *pnt_oct = NULL; + EVP_PKEY *param_key = NULL, *pkey = NULL; + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); + OSSL_PARAM *params = NULL; +-- +2.31.1 + +From c34296faadc0a9e15e4ca960d573cdf3aabd8742 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Mon, 9 Aug 2021 14:47:43 +0200 +Subject: [PATCH 34/39] Use param API to create RSA key + +Instead of deprecated low-level API. + +A caveat here is that when using the high-level API, OpenSSL 3 +requires that if the prime factors are set, the CRT parameters +are also set. See https://github.com/openssl/openssl/issues/16271. + +As such, add CRT parameters to the manual construction test. + +This fixes the last deprecation warnings in openssl.c, but there +are more elsewhere. + +(cherry picked from commit 3724b49aa953fadc365c27e64fba2266d7f6d16b) +--- + ext/openssl/openssl.c | 121 +++++++++++++++--- + ext/openssl/tests/openssl_pkey_new_basic.phpt | 16 +++ + 2 files changed, 116 insertions(+), 21 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 856d7fc4af..9e31f76998 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3812,8 +3812,8 @@ static void php_openssl_add_bn_to_array(zval *ary, const BIGNUM *bn, const char + } \ + } while (0); + +-/* {{{ php_openssl_pkey_init_rsa */ +-static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, zval *data) ++#if PHP_OPENSSL_API_VERSION < 0x30000 ++static zend_bool php_openssl_pkey_init_legacy_rsa(RSA *rsa, zval *data) + { + BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; + +@@ -3837,12 +3837,102 @@ static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, + return 0; + } + +- if (!EVP_PKEY_assign_RSA(pkey, rsa)) { ++ return 1; ++} ++#endif ++ ++static EVP_PKEY *php_openssl_pkey_init_rsa(zval *data) ++{ ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL; ++ BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; ++ EVP_PKEY *pkey = NULL; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); ++ OSSL_PARAM *params = NULL; ++ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); ++ ++ OPENSSL_PKEY_SET_BN(data, n); ++ OPENSSL_PKEY_SET_BN(data, e); ++ OPENSSL_PKEY_SET_BN(data, d); ++ OPENSSL_PKEY_SET_BN(data, p); ++ OPENSSL_PKEY_SET_BN(data, q); ++ OPENSSL_PKEY_SET_BN(data, dmp1); ++ OPENSSL_PKEY_SET_BN(data, dmq1); ++ OPENSSL_PKEY_SET_BN(data, iqmp); ++ ++ if (!ctx || !bld || !n || !d) { ++ goto cleanup; ++ } ++ ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n); ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d); ++ if (e) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e); ++ } ++ if (p) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR1, p); ++ } ++ if (q) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR2, q); ++ } ++ if (dmp1) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1); ++ } ++ if (dmq1) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1); ++ } ++ if (iqmp) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp); ++ } ++ ++ params = OSSL_PARAM_BLD_to_param(bld); ++ if (!params) { ++ goto cleanup; ++ } ++ ++ if (EVP_PKEY_fromdata_init(ctx) <= 0 || ++ EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) { ++ goto cleanup; ++ } ++ ++cleanup: ++ php_openssl_store_errors(); ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(bld); ++ BN_free(n); ++ BN_free(e); ++ BN_free(d); ++ BN_free(p); ++ BN_free(q); ++ BN_free(dmp1); ++ BN_free(dmq1); ++ BN_free(iqmp); ++ return pkey; ++#else ++ EVP_PKEY *pkey = EVP_PKEY_new(); ++ if (!pkey) { + php_openssl_store_errors(); +- return 0; ++ return NULL; + } + +- return 1; ++ RSA *rsa = RSA_new(); ++ if (!rsa) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(pkey); ++ return NULL; ++ } ++ ++ if (!php_openssl_pkey_init_legacy_rsa(rsa, data) ++ || !EVP_PKEY_assign_RSA(pkey, rsa)) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(pkey); ++ RSA_free(rsa); ++ return NULL; ++ } ++ ++ return pkey; ++#endif + } + + #if PHP_OPENSSL_API_VERSION < 0x30000 +@@ -4386,23 +4476,12 @@ PHP_FUNCTION(openssl_pkey_new) + + if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "rsa", sizeof("rsa")-1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { +- pkey = EVP_PKEY_new(); +- if (pkey) { +- RSA *rsa = RSA_new(); +- if (rsa) { +- if (php_openssl_pkey_init_and_assign_rsa(pkey, rsa, data)) { +- php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true); +- return; +- } +- RSA_free(rsa); +- } else { +- php_openssl_store_errors(); +- } +- EVP_PKEY_free(pkey); +- } else { +- php_openssl_store_errors(); ++ pkey = php_openssl_pkey_init_rsa(data); ++ if (!pkey) { ++ RETURN_FALSE; + } +- RETURN_FALSE; ++ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true); ++ return; + } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dsa", sizeof("dsa") - 1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { + bool is_private; +diff --git a/ext/openssl/tests/openssl_pkey_new_basic.phpt b/ext/openssl/tests/openssl_pkey_new_basic.phpt +index b2c37f6a87..08c9660f22 100644 +--- a/ext/openssl/tests/openssl_pkey_new_basic.phpt ++++ b/ext/openssl/tests/openssl_pkey_new_basic.phpt +@@ -26,6 +26,11 @@ $phex = "EECFAE81B1B9B3C908810B10A1B5600199EB9F44AEF4FDA493B81A9E3D84F632" . + $qhex = "C97FB1F027F453F6341233EAAAD1D9353F6C42D08866B1D05A0F2035028B9D86" . + "9840B41666B42E92EA0DA3B43204B5CFCE3352524D0416A5A441E700AF461503"; + ++$dphex = "11"; ++$dqhex = "11"; ++$qinvhex = "b06c4fdabb6301198d265bdbae9423b380f271f73453885093077fcd39e2119f" . ++ "c98632154f5883b167a967bf402b4e9e2e0f9656e698ea3666edfb25798039f7"; ++ + $rsa= openssl_pkey_new(array( + 'rsa' => array( + 'n' => hex2bin($nhex), +@@ -33,6 +38,9 @@ $rsa= openssl_pkey_new(array( + 'd' => hex2bin($dhex), + 'p' => hex2bin($phex), + 'q' => hex2bin($qhex), ++ 'dmp1' => hex2bin($dphex), ++ 'dmq1' => hex2bin($dqhex), ++ 'iqmp' => hex2bin($qinvhex), + ) + )); + $details = openssl_pkey_get_details($rsa); +@@ -42,6 +50,10 @@ openssl_pkey_test_cmp($ehex, $rsa_details['e']); + openssl_pkey_test_cmp($dhex, $rsa_details['d']); + openssl_pkey_test_cmp($phex, $rsa_details['p']); + openssl_pkey_test_cmp($qhex, $rsa_details['q']); ++openssl_pkey_test_cmp($dphex, $rsa_details['dmp1']); ++openssl_pkey_test_cmp($dqhex, $rsa_details['dmq1']); ++openssl_pkey_test_cmp($qinvhex, $rsa_details['iqmp']); ++echo "\n"; + + // DSA + $phex = '00f8000ae45b2dacb47dd977d58b719d097bdf07cb2c17660ad898518c08' . +@@ -95,6 +107,10 @@ int(0) + int(0) + int(0) + int(0) ++int(0) ++int(0) ++int(0) ++ + int(0) + int(0) + int(0) +-- +2.31.1 + +From b32adee0fe39c9d0fb981fc7cfe1892c225ba1c3 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Tue, 10 Aug 2021 11:50:18 +0200 +Subject: [PATCH 35/39] Fork openssl_error_string() test for OpenSSL + +The used error code differ signficantly, so use a separate test +file. + +openssl_encrypt() no longer throws an error for invalid key length, +which looks like an upstream bug. + +(cherry picked from commit e5f53e1ca13bfe8abd0f6037c98b59d2dac5744f) +--- + .../tests/openssl_error_string_basic.phpt | 7 +- + .../openssl_error_string_basic_openssl3.phpt | 183 ++++++++++++++++++ + 2 files changed, 188 insertions(+), 2 deletions(-) + create mode 100644 ext/openssl/tests/openssl_error_string_basic_openssl3.phpt + +diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt +index f3eb82067b..aee84b3fab 100644 +--- a/ext/openssl/tests/openssl_error_string_basic.phpt ++++ b/ext/openssl/tests/openssl_error_string_basic.phpt +@@ -1,7 +1,10 @@ + --TEST-- +-openssl_error_string() tests ++openssl_error_string() tests (OpenSSL < 3.0) + --SKIPIF-- +-<?php if (!extension_loaded("openssl")) print "skip"; ?> ++<?php ++if (!extension_loaded("openssl")) print "skip"; ++if (OPENSSL_VERSION_NUMBER >= 0x30000000) die('skip For OpenSSL < 3.0'); ++?> + --FILE-- + <?php + // helper function to check openssl errors +diff --git a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt +new file mode 100644 +index 0000000000..b119346fe1 +--- /dev/null ++++ b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt +@@ -0,0 +1,183 @@ ++--TEST-- ++openssl_error_string() tests (OpenSSL >= 3.0) ++--EXTENSIONS-- ++openssl ++--SKIPIF-- ++<?php ++if (OPENSSL_VERSION_NUMBER < 0x30000000) die('skip For OpenSSL >= 3.0'); ++?> ++--FILE-- ++<?php ++// helper function to check openssl errors ++function expect_openssl_errors($name, $expected_error_codes) { ++ $expected_errors = array_fill_keys($expected_error_codes, false); ++ $all_errors = array(); ++ while (($error_string = openssl_error_string()) !== false) { ++ if (preg_match(",.+:([0-9A-F]+):.+,", $error_string, $m) > 0) { ++ $error_code = $m[1]; ++ if (isset($expected_errors[$error_code])) { ++ $expected_errors[$error_code] = true; ++ } ++ $all_errors[$error_code] = $error_string; ++ } else { ++ $all_errors[] = $error_string; ++ } ++ } ++ ++ $fail = false; ++ foreach ($expected_errors as $error_code => $error_code_found) { ++ if (!$error_code_found) { ++ $fail = true; ++ echo "$name: no error code $error_code\n"; ++ } ++ } ++ ++ if (!$fail) { ++ echo "$name: ok\n"; ++ } else { ++ echo "$name: uncaught errors\n"; ++ foreach ($all_errors as $code => $str) { ++ if (!isset($expected_errors[$code]) || !$expected_errors[$code]) { ++ echo "\t", $code, ": ", $str, "\n"; ++ } ++ } ++ } ++} ++ ++// helper for debugging errors ++function dump_openssl_errors($name) { ++ echo "\n$name\n"; ++ while (($error_string = openssl_error_string()) !== false) { ++ var_dump($error_string); ++ } ++} ++ ++// common output file ++$output_file = __DIR__ . "/openssl_error_string_basic_output.tmp"; ++// invalid file for read is something that does not exist in current directory ++$invalid_file_for_read = __DIR__ . "/invalid_file_for_read_operation.txt"; ++// invalid file for is the test dir as writing file to existing dir should always fail ++$invalid_file_for_write = __DIR__; ++// crt file ++$crt_file = "file://" . __DIR__ . "/cert.crt"; ++// csr file ++$csr_file = "file://" . __DIR__ . "/cert.csr"; ++// public key file ++$public_key_file = "file://" .__DIR__ . "/public.key"; ++// private key file ++$private_key_file = "file://" .__DIR__ . "/private_rsa_1024.key"; ++// private key file with password (password is 'php') ++$private_key_file_with_pass = "file://" .__DIR__ . "/private_rsa_2048_pass_php.key"; ++ ++// ENCRYPTION ++$data = "test"; ++$method = "AES-128-ECB"; ++$enc_key = str_repeat('x', 40); ++// error because password is longer then key length and ++// EVP_CIPHER_CTX_set_key_length fails for AES ++if (0) { ++// TODO: This no longer errors! ++openssl_encrypt($data, $method, $enc_key); ++$enc_error = openssl_error_string(); ++var_dump($enc_error); ++// make sure that error is cleared now ++var_dump(openssl_error_string()); ++// internally OpenSSL ERR won't save more than 15 (16 - 1) errors so lets test it ++for ($i = 0; $i < 20; $i++) { ++ openssl_encrypt($data, $method, $enc_key); ++} ++$error_queue_size = 0; ++while (($enc_error_new = openssl_error_string()) !== false) { ++ if ($enc_error_new !== $enc_error) { ++ echo "The new encoding error doesn't match the expected one\n"; ++ } ++ ++$error_queue_size; ++} ++var_dump($error_queue_size); ++echo "\n"; ++} ++ ++$err_pem_no_start_line = '0480006C'; ++ ++// PKEY ++echo "PKEY errors\n"; ++// file for pkey (file:///) fails when opennig (BIO_new_file) ++@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file); ++expect_openssl_errors('openssl_pkey_export_to_file opening', ['10000080']); ++// file or private pkey is not correct PEM - failing PEM_read_bio_PrivateKey ++@openssl_pkey_export_to_file($csr_file, $output_file); ++expect_openssl_errors('openssl_pkey_export_to_file pem', ['1E08010C']); ++// file to export cannot be written ++@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write); ++expect_openssl_errors('openssl_pkey_export_to_file write', ['10080002']); ++// successful export ++@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd'); ++expect_openssl_errors('openssl_pkey_export', ['1C800064', '04800065']); ++// invalid x509 for getting public key ++@openssl_pkey_get_public($private_key_file); ++expect_openssl_errors('openssl_pkey_get_public', [$err_pem_no_start_line]); ++// private encrypt with unknown padding ++@openssl_private_encrypt("data", $crypted, $private_key_file, 1000); ++expect_openssl_errors('openssl_private_encrypt', ['1C8000A5']); ++// private decrypt with failed padding check ++@openssl_private_decrypt("data", $crypted, $private_key_file); ++expect_openssl_errors('openssl_private_decrypt', ['0200009F', '02000072']); ++// public encrypt and decrypt with failed padding check and padding ++@openssl_public_encrypt("data", $crypted, $public_key_file, 1000); ++@openssl_public_decrypt("data", $crypted, $public_key_file); ++expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '02000076', '0200008A', '02000072', '1C880004']); ++ ++// X509 ++echo "X509 errors\n"; ++// file for x509 (file:///) fails when opennig (BIO_new_file) ++@openssl_x509_export_to_file("file://" . $invalid_file_for_read, $output_file); ++expect_openssl_errors('openssl_x509_export_to_file open', ['10000080']); ++// file or str cert is not correct PEM - failing PEM_read_bio_X509 or PEM_ASN1_read_bio ++@openssl_x509_export_to_file($csr_file, $output_file); ++expect_openssl_errors('openssl_x509_export_to_file pem', [$err_pem_no_start_line]); ++// file to export cannot be written ++@openssl_x509_export_to_file($crt_file, $invalid_file_for_write); ++expect_openssl_errors('openssl_x509_export_to_file write', ['10080002']); ++// checking purpose fails because there is no such purpose 1000 ++@openssl_x509_checkpurpose($crt_file, 1000); ++expect_openssl_errors('openssl_x509_checkpurpose purpose', ['05800079']); ++ ++// CSR ++echo "CSR errors\n"; ++// file for csr (file:///) fails when opennig (BIO_new_file) ++@openssl_csr_get_subject("file://" . $invalid_file_for_read); ++expect_openssl_errors('openssl_csr_get_subject open', ['10000080']); ++// file or str csr is not correct PEM - failing PEM_read_bio_X509_REQ ++@openssl_csr_get_subject($crt_file); ++expect_openssl_errors('openssl_csr_get_subjec pem', [$err_pem_no_start_line]); ++ ++// other possible causes that are difficult to catch: ++// - ASN1_STRING_to_UTF8 fails in add_assoc_name_entry ++// - invalid php_x509_request field (NULL) would cause error with CONF_get_string ++ ++?> ++--CLEAN-- ++<?php ++$output_file = __DIR__ . "/openssl_error_string_basic_output.tmp"; ++if (is_file($output_file)) { ++ unlink($output_file); ++} ++?> ++--EXPECT-- ++PKEY errors ++openssl_pkey_export_to_file opening: ok ++openssl_pkey_export_to_file pem: ok ++openssl_pkey_export_to_file write: ok ++openssl_pkey_export: ok ++openssl_pkey_get_public: ok ++openssl_private_encrypt: ok ++openssl_private_decrypt: ok ++openssl_private_(en|de)crypt padding: ok ++X509 errors ++openssl_x509_export_to_file open: ok ++openssl_x509_export_to_file pem: ok ++openssl_x509_export_to_file write: ok ++openssl_x509_checkpurpose purpose: ok ++CSR errors ++openssl_csr_get_subject open: ok ++openssl_csr_get_subjec pem: ok +-- +2.31.1 + +From f99d70f7d8d660c2ded4f8f1700771c227987021 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Tue, 10 Aug 2021 12:17:17 +0200 +Subject: [PATCH 36/39] Switch dh_param handling to EVP_PKEY API + +(cherry picked from commit ef787bae242fdd2e72625bbce6ab4ca466b1ef59) +--- + ext/openssl/xp_ssl.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c +index 206543ca82..b61234943e 100644 +--- a/ext/openssl/xp_ssl.c ++++ b/ext/openssl/xp_ssl.c +@@ -1197,11 +1197,7 @@ static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength) + + static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* {{{ */ + { +- DH *dh; +- BIO* bio; +- zval *zdhpath; +- +- zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param"); ++ zval *zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param"); + if (zdhpath == NULL) { + #if 0 + /* Coming in OpenSSL 1.1 ... eventually we'll want to enable this +@@ -1216,14 +1212,29 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* + return FAILURE; + } + +- bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY)); ++ BIO *bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY)); + + if (bio == NULL) { + php_error_docref(NULL, E_WARNING, "Invalid dh_param"); + return FAILURE; + } + +- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ EVP_PKEY *pkey = PEM_read_bio_Parameters(bio, NULL); ++ BIO_free(bio); ++ ++ if (pkey == NULL) { ++ php_error_docref(NULL, E_WARNING, "Failed reading DH params"); ++ return FAILURE; ++ } ++ ++ if (SSL_CTX_set0_tmp_dh_pkey(ctx, pkey) < 0) { ++ php_error_docref(NULL, E_WARNING, "Failed assigning DH params"); ++ EVP_PKEY_free(pkey); ++ return FAILURE; ++ } ++#else ++ DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + BIO_free(bio); + + if (dh == NULL) { +@@ -1238,6 +1249,7 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* + } + + DH_free(dh); ++#endif + + return SUCCESS; + } +-- +2.31.1 + +From b3deb9b38d4a52b4582f40d4d32240353db26653 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikita.ppv@gmail.com> +Date: Wed, 11 Aug 2021 10:11:12 +0200 +Subject: [PATCH 37/39] Fix openssl memory leaks + +Some leaks that snuck in during refactorings. + +(cherry picked from commit 7d2a2c7dc0447c81316d14f3a43a4b6a8ce0b982) +--- + ext/openssl/openssl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 9e31f76998..d8102bd4bc 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3463,7 +3463,9 @@ PHP_FUNCTION(openssl_csr_get_public_key) + } + + /* Retrieve the public key from the CSR */ +- EVP_PKEY *tpubkey = php_openssl_extract_public_key(X509_REQ_get_pubkey(csr)); ++ EVP_PKEY *orig_key = X509_REQ_get_pubkey(csr); ++ EVP_PKEY *tpubkey = php_openssl_extract_public_key(orig_key); ++ EVP_PKEY_free(orig_key); + + if (csr_str) { + /* We need to free the original CSR if it was freshly created */ +@@ -4328,6 +4330,7 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_ + php_openssl_store_errors(); + } + if (EC_KEY_check_key(eckey)) { ++ EC_GROUP_free(group); + return true; + } else { + php_openssl_store_errors(); +-- +2.31.1 + +From 02f08ac888b0c5f43468eaf76b59b29a7c2d7c74 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Fri, 10 Sep 2021 11:28:20 +0200 +Subject: [PATCH 38/39] fix [-Wmaybe-uninitialized] build warnings + +(cherry picked from commit 6ee96f095ad947ffc820437b2e9e6449000e18a2) +--- + ext/openssl/openssl.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index d8102bd4bc..40e6e7ba97 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3991,6 +3991,8 @@ static EVP_PKEY *php_openssl_pkey_init_dsa(zval *data, bool *is_private) + OPENSSL_PKEY_SET_BN(data, priv_key); + OPENSSL_PKEY_SET_BN(data, pub_key); + ++ *is_private = false; ++ + if (!ctx || !bld || !p || !q || !g) { + goto cleanup; + } +@@ -4162,6 +4164,8 @@ static EVP_PKEY *php_openssl_pkey_init_dh(zval *data, bool *is_private) + OPENSSL_PKEY_SET_BN(data, priv_key); + OPENSSL_PKEY_SET_BN(data, pub_key); + ++ *is_private = false; ++ + if (!ctx || !bld || !p || !g) { + goto cleanup; + } +@@ -4255,6 +4259,8 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_ + zval *x; + zval *y; + ++ *is_private = false; ++ + if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1)) != NULL && + Z_TYPE_P(bn) == IS_STRING) { + int nid = OBJ_sn2nid(Z_STRVAL_P(bn)); +@@ -4279,7 +4285,6 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_ + } + + // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y' +- *is_private = false; + if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL && + Z_TYPE_P(bn) == IS_STRING) { + *is_private = true; +@@ -4360,6 +4365,8 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { + OPENSSL_PKEY_SET_BN(data, x); + OPENSSL_PKEY_SET_BN(data, y); + ++ *is_private = false; ++ + if (!ctx || !bld || !curve_name_zv || Z_TYPE_P(curve_name_zv) != IS_STRING) { + goto cleanup; + } +-- +2.31.1 + +From b881c41d32928781cb48013692da04fc84ca9107 Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka <bukka@php.net> +Date: Sun, 12 Sep 2021 20:30:02 +0100 +Subject: [PATCH 39/39] Make OpenSSL tests less dependent on system config + +It fixes dependencies on system config if running tests with OpenSSL 3.0 + +(cherry picked from commit 43f0141d74c1db6e792f3b625ea7f4ae57ff338f) +--- + ext/openssl/tests/bug52093.phpt | 6 +++--- + ext/openssl/tests/bug72165.phpt | 5 +++-- + ext/openssl/tests/bug73711.phpt | 3 +++ + ext/openssl/tests/ecc.phpt | 3 +++ + .../tests/openssl_error_string_basic_openssl3.phpt | 9 +++++---- + 5 files changed, 17 insertions(+), 9 deletions(-) + +diff --git a/ext/openssl/tests/bug52093.phpt b/ext/openssl/tests/bug52093.phpt +index 63eaceb5ac..162945f914 100644 +--- a/ext/openssl/tests/bug52093.phpt ++++ b/ext/openssl/tests/bug52093.phpt +@@ -14,10 +14,10 @@ $dn = array( + "commonName" => "Henrique do N. Angelo", + "emailAddress" => "hnangelo@php.net" + ); +- ++$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf']; + $privkey = openssl_pkey_new(); +-$csr = openssl_csr_new($dn, $privkey); +-$cert = openssl_csr_sign($csr, null, $privkey, 365, [], PHP_INT_MAX); ++$csr = openssl_csr_new($dn, $privkey, $options); ++$cert = openssl_csr_sign($csr, null, $privkey, 365, $options, PHP_INT_MAX); + var_dump(openssl_x509_parse($cert)['serialNumber']); + ?> + --EXPECT-- +diff --git a/ext/openssl/tests/bug72165.phpt b/ext/openssl/tests/bug72165.phpt +index 50e8b54100..fb78881fc3 100644 +--- a/ext/openssl/tests/bug72165.phpt ++++ b/ext/openssl/tests/bug72165.phpt +@@ -6,8 +6,9 @@ if (!extension_loaded("openssl")) die("skip"); + ?> + --FILE-- + <?php +-$var0 = array(0 => "hello", 1 => "world"); +-$var2 = openssl_csr_new(array(0),$var0,null,array(0)); ++$var0 = [0 => "hello", 1 => "world"]; ++$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf']; ++$var2 = openssl_csr_new([0], $var0, $options, [0]); + ?> + --EXPECTF-- + Warning: openssl_csr_new(): dn: numeric fild names are not supported in %sbug72165.php on line %d +diff --git a/ext/openssl/tests/bug73711.phpt b/ext/openssl/tests/bug73711.phpt +index 4e4bba8aa8..8ca0101d1a 100644 +--- a/ext/openssl/tests/bug73711.phpt ++++ b/ext/openssl/tests/bug73711.phpt +@@ -6,13 +6,16 @@ if (!extension_loaded("openssl")) die("skip openssl not loaded"); + ?> + --FILE-- + <?php ++$config = __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf'; + var_dump(openssl_pkey_new([ + "private_key_type" => OPENSSL_KEYTYPE_DSA, + "private_key_bits" => 1024, ++ 'config' => $config, + ])); + var_dump(openssl_pkey_new([ + "private_key_type" => OPENSSL_KEYTYPE_DH, + "private_key_bits" => 512, ++ 'config' => $config, + ])); + echo "DONE"; + ?> +diff --git a/ext/openssl/tests/ecc.phpt b/ext/openssl/tests/ecc.phpt +index 0b05410c2c..1d97b1450a 100644 +--- a/ext/openssl/tests/ecc.phpt ++++ b/ext/openssl/tests/ecc.phpt +@@ -4,9 +4,11 @@ openssl_*() with OPENSSL_KEYTYPE_EC + <?php if (!extension_loaded("openssl") || !defined("OPENSSL_KEYTYPE_EC")) print "skip"; ?> + --FILE-- + <?php ++$config = __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf'; + $args = array( + "curve_name" => "secp384r1", + "private_key_type" => OPENSSL_KEYTYPE_EC, ++ "config" => $config, + ); + echo "Testing openssl_pkey_new\n"; + $key1 = openssl_pkey_new($args); +@@ -15,6 +17,7 @@ var_dump($key1); + $argsFailed = array( + "curve_name" => "invalid_cuve_name", + "private_key_type" => OPENSSL_KEYTYPE_EC, ++ "config" => $config, + ); + + $keyFailed = openssl_pkey_new($argsFailed); +diff --git a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt +index b119346fe1..d435a53e30 100644 +--- a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt ++++ b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt +@@ -100,18 +100,19 @@ echo "\n"; + $err_pem_no_start_line = '0480006C'; + + // PKEY ++$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf']; + echo "PKEY errors\n"; + // file for pkey (file:///) fails when opennig (BIO_new_file) +-@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file); ++@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file, null, $options); + expect_openssl_errors('openssl_pkey_export_to_file opening', ['10000080']); + // file or private pkey is not correct PEM - failing PEM_read_bio_PrivateKey +-@openssl_pkey_export_to_file($csr_file, $output_file); ++@openssl_pkey_export_to_file($csr_file, $output_file, null, $options); + expect_openssl_errors('openssl_pkey_export_to_file pem', ['1E08010C']); + // file to export cannot be written +-@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write); ++@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write, null, $options); + expect_openssl_errors('openssl_pkey_export_to_file write', ['10080002']); + // successful export +-@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd'); ++@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd', $options); + expect_openssl_errors('openssl_pkey_export', ['1C800064', '04800065']); + // invalid x509 for getting public key + @openssl_pkey_get_public($private_key_file); +-- +2.31.1 + diff --git a/php-8.0.10-phar-sha.patch b/php-8.0.10-phar-sha.patch new file mode 100644 index 0000000..7d6fa2c --- /dev/null +++ b/php-8.0.10-phar-sha.patch @@ -0,0 +1,515 @@ +Backported for 8.0 from + + +From 8bb0c74e24359a11216824117ac3adf3d5ef7b71 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Thu, 5 Aug 2021 11:10:15 +0200 +Subject: [PATCH] switch phar to use sha256 signature by default + +--- + ext/phar/phar/pharcommand.inc | 2 +- + ext/phar/tests/create_new_and_modify.phpt | 4 ++-- + ext/phar/tests/create_new_phar_c.phpt | 4 ++-- + ext/phar/tests/phar_setsignaturealgo2.phpt | 2 +- + ext/phar/tests/tar/phar_setsignaturealgo2.phpt | 2 +- + ext/phar/tests/zip/phar_setsignaturealgo2.phpt | 2 +- + ext/phar/util.c | 6 +++--- + ext/phar/zip.c | 2 +- + 8 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/ext/phar/phar/pharcommand.inc b/ext/phar/phar/pharcommand.inc +index a31290eee75fe..5f698b4bec26b 100644 +--- a/ext/phar/phar/pharcommand.inc ++++ b/ext/phar/phar/pharcommand.inc +@@ -92,7 +92,7 @@ class PharCommand extends CLICommand + 'typ' => 'select', + 'val' => NULL, + 'inf' => '<method> Selects the hash algorithm.', +- 'select' => array('md5' => 'MD5','sha1' => 'SHA1') ++ 'select' => array('md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL') + ), + 'i' => array( + 'typ' => 'regex', +diff --git a/ext/phar/tests/create_new_and_modify.phpt b/ext/phar/tests/create_new_and_modify.phpt +index 02e36c6cea2fe..32defcae8a639 100644 +--- a/ext/phar/tests/create_new_and_modify.phpt ++++ b/ext/phar/tests/create_new_and_modify.phpt +@@ -49,8 +49,8 @@ include $pname . '/b.php'; + <?php unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar.php'); ?> + --EXPECTF-- + brand new! +-string(40) "%s" +-string(40) "%s" ++string(%d) "%s" ++string(%d) "%s" + bool(true) + modified! + another! +diff --git a/ext/phar/tests/create_new_phar_c.phpt b/ext/phar/tests/create_new_phar_c.phpt +index 566d3c4d5f8ad..bf6d740fd1d10 100644 +--- a/ext/phar/tests/create_new_phar_c.phpt ++++ b/ext/phar/tests/create_new_phar_c.phpt +@@ -20,7 +20,7 @@ var_dump($phar->getSignature()); + --EXPECTF-- + array(2) { + ["hash"]=> +- string(40) "%s" ++ string(64) "%s" + ["hash_type"]=> +- string(5) "SHA-1" ++ string(7) "SHA-256" + } +diff --git a/ext/phar/tests/phar_setsignaturealgo2.phpt b/ext/phar/tests/phar_setsignaturealgo2.phpt +index 293d3196713d8..4f31836fbbbcc 100644 +--- a/ext/phar/tests/phar_setsignaturealgo2.phpt ++++ b/ext/phar/tests/phar_setsignaturealgo2.phpt +@@ -52,7 +52,7 @@ array(2) { + ["hash"]=> + string(%d) "%s" + ["hash_type"]=> +- string(5) "SHA-1" ++ string(7) "SHA-256" + } + array(2) { + ["hash"]=> +diff --git a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt +index 9923ac5c88476..cc10a241d739b 100644 +--- a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt ++++ b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt +@@ -51,7 +51,7 @@ array(2) { + ["hash"]=> + string(%d) "%s" + ["hash_type"]=> +- string(5) "SHA-1" ++ string(7) "SHA-256" + } + array(2) { + ["hash"]=> +diff --git a/ext/phar/tests/zip/phar_setsignaturealgo2.phpt b/ext/phar/tests/zip/phar_setsignaturealgo2.phpt +index 8de77479d7825..60fec578ee894 100644 +--- a/ext/phar/tests/zip/phar_setsignaturealgo2.phpt ++++ b/ext/phar/tests/zip/phar_setsignaturealgo2.phpt +@@ -78,7 +78,7 @@ array(2) { + ["hash"]=> + string(%d) "%s" + ["hash_type"]=> +- string(5) "SHA-1" ++ string(7) "SHA-256" + } + array(2) { + ["hash"]=> +diff --git a/ext/phar/util.c b/ext/phar/util.c +index 314acfe81a788..8d2db03b69601 100644 +--- a/ext/phar/util.c ++++ b/ext/phar/util.c +@@ -1798,6 +1798,8 @@ int phar_create_signature(phar_archive_d + *signature_length = 64; + break; + } ++ default: ++ phar->sig_flags = PHAR_SIG_SHA256; + case PHAR_SIG_SHA256: { + unsigned char digest[32]; + PHP_SHA256_CTX context; +@@ -1894,8 +1896,6 @@ int phar_create_signature(phar_archive_d + *signature_length = siglen; + } + break; +- default: +- phar->sig_flags = PHAR_SIG_SHA1; + case PHAR_SIG_SHA1: { + unsigned char digest[20]; + PHP_SHA1_CTX context; +diff --git a/ext/phar/zip.c b/ext/phar/zip.c +index 31d4bd2998215..c5e38cabf7b87 100644 +--- a/ext/phar/zip.c ++++ b/ext/phar/zip.c +@@ -1423,7 +1423,7 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, zend_long len, int + + memcpy(eocd.signature, "PK\5\6", 4); + if (!phar->is_data && !phar->sig_flags) { +- phar->sig_flags = PHAR_SIG_SHA1; ++ phar->sig_flags = PHAR_SIG_SHA256; + } + if (phar->sig_flags) { + PHAR_SET_16(eocd.counthere, zend_hash_num_elements(&phar->manifest) + 1); + +From c51af22fef988c1b2f92b7b9e3a9d745f7084815 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Thu, 5 Aug 2021 16:49:48 +0200 +Subject: [PATCH] implement openssl_256 and openssl_512 for phar singatures + +--- + ext/openssl/openssl.c | 1 + + ext/phar/phar.1.in | 10 +++- + ext/phar/phar.c | 8 +++- + ext/phar/phar/pharcommand.inc | 14 +++++- + ext/phar/phar_internal.h | 2 + + ext/phar/phar_object.c | 24 ++++++++-- + ext/phar/tests/files/openssl256.phar | Bin 0 -> 7129 bytes + ext/phar/tests/files/openssl256.phar.pubkey | 6 +++ + ext/phar/tests/files/openssl512.phar | Bin 0 -> 7129 bytes + ext/phar/tests/files/openssl512.phar.pubkey | 6 +++ + .../phar_get_supported_signatures_002a.phpt | 6 ++- + .../tests/tar/phar_setsignaturealgo2.phpt | 16 +++++++ + ext/phar/tests/test_signaturealgos.phpt | 8 ++++ + ext/phar/util.c | 45 ++++++++++++++---- + 14 files changed, 128 insertions(+), 18 deletions(-) + create mode 100644 ext/phar/tests/files/openssl256.phar + create mode 100644 ext/phar/tests/files/openssl256.phar.pubkey + create mode 100644 ext/phar/tests/files/openssl512.phar + create mode 100644 ext/phar/tests/files/openssl512.phar.pubkey + +diff --git a/ext/phar/phar.1.in b/ext/phar/phar.1.in +index 77912b241dfd5..323e77b0e2a3b 100644 +--- a/ext/phar/phar.1.in ++++ b/ext/phar/phar.1.in +@@ -475,7 +475,15 @@ SHA512 + .TP + .PD + .B openssl +-OpenSSL ++OpenSSL using SHA-1 ++.TP ++.PD ++.B openssl_sha256 ++OpenSSL using SHA-256 ++.TP ++.PD ++.B openssl_sha512 ++OpenSSL using SHA-512 + + .SH SEE ALSO + For a more or less complete description of PHAR look here: +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 77f21cef9da53..bc08e4edde05d 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -869,6 +869,8 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, size_t fname_len, ch + PHAR_GET_32(sig_ptr, sig_flags); + + switch(sig_flags) { ++ case PHAR_SIG_OPENSSL_SHA512: ++ case PHAR_SIG_OPENSSL_SHA256: + case PHAR_SIG_OPENSSL: { + uint32_t signature_len; + char *sig; +@@ -903,7 +905,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, size_t fname_len, ch + return FAILURE; + } + +- if (FAILURE == phar_verify_signature(fp, end_of_phar, PHAR_SIG_OPENSSL, sig, signature_len, fname, &signature, &sig_len, error)) { ++ if (FAILURE == phar_verify_signature(fp, end_of_phar, sig_flags, sig, signature_len, fname, &signature, &sig_len, error)) { + efree(savebuf); + efree(sig); + php_stream_close(fp); +@@ -3162,7 +3164,9 @@ int phar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int conv + + php_stream_write(newfile, digest, digest_len); + efree(digest); +- if (phar->sig_flags == PHAR_SIG_OPENSSL) { ++ if (phar->sig_flags == PHAR_SIG_OPENSSL || ++ phar->sig_flags == PHAR_SIG_OPENSSL_SHA256 || ++ phar->sig_flags == PHAR_SIG_OPENSSL_SHA512) { + phar_set_32(sig_buf, digest_len); + php_stream_write(newfile, sig_buf, 4); + } +diff --git a/ext/phar/phar/pharcommand.inc b/ext/phar/phar/pharcommand.inc +index 5f698b4bec26b..1b1eeca59c560 100644 +--- a/ext/phar/phar/pharcommand.inc ++++ b/ext/phar/phar/pharcommand.inc +@@ -92,7 +92,7 @@ class PharCommand extends CLICommand + 'typ' => 'select', + 'val' => NULL, + 'inf' => '<method> Selects the hash algorithm.', +- 'select' => array('md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL') ++ 'select' => ['md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL', 'openssl_sha256' => 'OPENSSL_SHA256', 'openssl_sha512' => 'OPENSSL_SHA512'] + ), + 'i' => array( + 'typ' => 'regex', +@@ -156,6 +156,8 @@ class PharCommand extends CLICommand + $hash_avail = Phar::getSupportedSignatures(); + $hash_optional = array('SHA-256' => 'SHA256', + 'SHA-512' => 'SHA512', ++ 'OpenSSL_sha256' => 'OpenSSL_SHA256', ++ 'OpenSSL_sha512' => 'OpenSSL_SHA512', + 'OpenSSL' => 'OpenSSL'); + if (!in_array('OpenSSL', $hash_avail)) { + unset($phar_args['y']); +@@ -429,6 +431,16 @@ class PharCommand extends CLICommand + self::error("Cannot use OpenSSL signing without key.\n"); + } + return Phar::OPENSSL; ++ case 'openssl_sha256': ++ if (!$privkey) { ++ self::error("Cannot use OpenSSL signing without key.\n"); ++ } ++ return Phar::OPENSSL_SHA256; ++ case 'openssl_sha512': ++ if (!$privkey) { ++ self::error("Cannot use OpenSSL signing without key.\n"); ++ } ++ return Phar::OPENSSL_SHA512; + } + } + // }}} +diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h +index a9f81e2ab994a..30b408a8c4462 100644 +--- a/ext/phar/phar_internal.h ++++ b/ext/phar/phar_internal.h +@@ -88,6 +88,8 @@ + #define PHAR_SIG_SHA256 0x0003 + #define PHAR_SIG_SHA512 0x0004 + #define PHAR_SIG_OPENSSL 0x0010 ++#define PHAR_SIG_OPENSSL_SHA256 0x0011 ++#define PHAR_SIG_OPENSSL_SHA512 0x0012 + + /* flags byte for each file adheres to these bitmasks. + All unused values are reserved */ +diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c +index 9c1e5f2fa1eef..c05970e657f18 100644 +--- a/ext/phar/phar_object.c ++++ b/ext/phar/phar_object.c +@@ -1246,9 +1246,13 @@ PHP_METHOD(Phar, getSupportedSignatures) + add_next_index_stringl(return_value, "SHA-512", 7); + #ifdef PHAR_HAVE_OPENSSL + add_next_index_stringl(return_value, "OpenSSL", 7); ++ add_next_index_stringl(return_value, "OpenSSL_SHA256", 14); ++ add_next_index_stringl(return_value, "OpenSSL_SHA512", 14); + #else + if (zend_hash_str_exists(&module_registry, "openssl", sizeof("openssl")-1)) { + add_next_index_stringl(return_value, "OpenSSL", 7); ++ add_next_index_stringl(return_value, "OpenSSL_SHA256", 14); ++ add_next_index_stringl(return_value, "OpenSSL_SHA512", 14); + } + #endif + } +@@ -3028,6 +3032,8 @@ PHP_METHOD(Phar, setSignatureAlgorithm) + case PHAR_SIG_MD5: + case PHAR_SIG_SHA1: + case PHAR_SIG_OPENSSL: ++ case PHAR_SIG_OPENSSL_SHA256: ++ case PHAR_SIG_OPENSSL_SHA512: + if (phar_obj->archive->is_persistent && FAILURE == phar_copy_on_write(&(phar_obj->archive))) { + zend_throw_exception_ex(phar_ce_PharException, 0, "phar \"%s\" is persistent, unable to copy on write", phar_obj->archive->fname); + RETURN_THROWS(); +@@ -3066,19 +3072,25 @@ PHP_METHOD(Phar, getSignature) + add_assoc_stringl(return_value, "hash", phar_obj->archive->signature, phar_obj->archive->sig_len); + switch(phar_obj->archive->sig_flags) { + case PHAR_SIG_MD5: +- add_assoc_stringl(return_value, "hash_type", "MD5", 3); ++ add_assoc_string(return_value, "hash_type", "MD5"); + break; + case PHAR_SIG_SHA1: +- add_assoc_stringl(return_value, "hash_type", "SHA-1", 5); ++ add_assoc_string(return_value, "hash_type", "SHA-1"); + break; + case PHAR_SIG_SHA256: +- add_assoc_stringl(return_value, "hash_type", "SHA-256", 7); ++ add_assoc_string(return_value, "hash_type", "SHA-256"); + break; + case PHAR_SIG_SHA512: +- add_assoc_stringl(return_value, "hash_type", "SHA-512", 7); ++ add_assoc_string(return_value, "hash_type", "SHA-512"); + break; + case PHAR_SIG_OPENSSL: +- add_assoc_stringl(return_value, "hash_type", "OpenSSL", 7); ++ add_assoc_string(return_value, "hash_type", "OpenSSL"); ++ break; ++ case PHAR_SIG_OPENSSL_SHA256: ++ add_assoc_string(return_value, "hash_type", "OpenSSL_SHA256"); ++ break; ++ case PHAR_SIG_OPENSSL_SHA512: ++ add_assoc_string(return_value, "hash_type", "OpenSSL_SHA512"); + break; + default: + unknown = strpprintf(0, "Unknown (%u)", phar_obj->archive->sig_flags); +@@ -5103,6 +5115,8 @@ void phar_object_init(void) /* {{{ */ + REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "PHPS", PHAR_MIME_PHPS) + REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "MD5", PHAR_SIG_MD5) + REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL", PHAR_SIG_OPENSSL) ++ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL_SHA256", PHAR_SIG_OPENSSL_SHA256) ++ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL_SHA512", PHAR_SIG_OPENSSL_SHA512) + REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA1", PHAR_SIG_SHA1) + REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA256", PHAR_SIG_SHA256) + REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA512", PHAR_SIG_SHA512) +diff --git a/ext/phar/tests/phar_get_supported_signatures_002a.phpt b/ext/phar/tests/phar_get_supported_signatures_002a.phpt +index 06d811f2c35c2..639143b3d2c90 100644 +--- a/ext/phar/tests/phar_get_supported_signatures_002a.phpt ++++ b/ext/phar/tests/phar_get_supported_signatures_002a.phpt +@@ -14,7 +14,7 @@ phar.readonly=0 + var_dump(Phar::getSupportedSignatures()); + ?> + --EXPECT-- +-array(5) { ++array(7) { + [0]=> + string(3) "MD5" + [1]=> +@@ -25,4 +25,8 @@ array(5) { + string(7) "SHA-512" + [4]=> + string(7) "OpenSSL" ++ [5]=> ++ string(14) "OpenSSL_SHA256" ++ [6]=> ++ string(14) "OpenSSL_SHA512" + } +diff --git a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt +index cc10a241d739b..c2eb5d77a5bf0 100644 +--- a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt ++++ b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt +@@ -38,6 +38,10 @@ $pkey = ''; + openssl_pkey_export($private, $pkey, NULL, $config_arg); + $p->setSignatureAlgorithm(Phar::OPENSSL, $pkey); + var_dump($p->getSignature()); ++$p->setSignatureAlgorithm(Phar::OPENSSL_SHA512, $pkey); ++var_dump($p->getSignature()); ++$p->setSignatureAlgorithm(Phar::OPENSSL_SHA256, $pkey); ++var_dump($p->getSignature()); + } catch (Exception $e) { + echo $e->getMessage(); + } +@@ -83,3 +87,15 @@ array(2) { + ["hash_type"]=> + string(7) "OpenSSL" + } ++array(2) { ++ ["hash"]=> ++ string(%d) "%s" ++ ["hash_type"]=> ++ string(14) "OpenSSL_SHA512" ++} ++array(2) { ++ ["hash"]=> ++ string(%d) "%s" ++ ["hash_type"]=> ++ string(14) "OpenSSL_SHA256" ++} +diff --git a/ext/phar/util.c b/ext/phar/util.c +index 8d2db03b69601..515830bf2c70a 100644 +--- a/ext/phar/util.c ++++ b/ext/phar/util.c +@@ -34,7 +34,7 @@ + #include <openssl/ssl.h> + #include <openssl/pkcs12.h> + #else +-static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len); ++static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, php_uint32 sig_type); + #endif + + /* for links to relative location, prepend cwd of the entry */ +@@ -1381,11 +1381,11 @@ static int phar_hex_str(const char *digest, size_t digest_len, char **signature) + /* }}} */ + + #ifndef PHAR_HAVE_OPENSSL +-static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len) /* {{{ */ ++static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, php_uint32 sig_type) /* {{{ */ + { + zend_fcall_info fci; + zend_fcall_info_cache fcc; +- zval retval, zp[3], openssl; ++ zval retval, zp[4], openssl; + zend_string *str; + + ZVAL_STRINGL(&openssl, is_sign ? "openssl_sign" : "openssl_verify", is_sign ? sizeof("openssl_sign")-1 : sizeof("openssl_verify")-1); +@@ -1402,6 +1402,14 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t + } else { + ZVAL_EMPTY_STRING(&zp[0]); + } ++ if (sig_type == PHAR_SIG_OPENSSL_SHA512) { ++ ZVAL_LONG(&zp[3], 9); /* value from openssl.c #define OPENSSL_ALGO_SHA512 9 */ ++ } else if (sig_type == PHAR_SIG_OPENSSL_SHA256) { ++ ZVAL_LONG(&zp[3], 7); /* value from openssl.c #define OPENSSL_ALGO_SHA256 7 */ ++ } else { ++ /* don't rely on default value which may change in the future */ ++ ZVAL_LONG(&zp[3], 1); /* value from openssl.c #define OPENSSL_ALGO_SHA1 1 */ ++ } + + if ((size_t)end != Z_STRLEN(zp[0])) { + zval_ptr_dtor_str(&zp[0]); +@@ -1419,7 +1427,7 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t + return FAILURE; + } + +- fci.param_count = 3; ++ fci.param_count = 4; + fci.params = zp; + Z_ADDREF(zp[0]); + if (is_sign) { +@@ -1482,12 +1490,22 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type, + php_stream_rewind(fp); + + switch (sig_type) { ++ case PHAR_SIG_OPENSSL_SHA512: ++ case PHAR_SIG_OPENSSL_SHA256: + case PHAR_SIG_OPENSSL: { + #ifdef PHAR_HAVE_OPENSSL + BIO *in; + EVP_PKEY *key; +- EVP_MD *mdtype = (EVP_MD *) EVP_sha1(); ++ const EVP_MD *mdtype; + EVP_MD_CTX *md_ctx; ++ ++ if (sig_type == PHAR_SIG_OPENSSL_SHA512) { ++ mdtype = EVP_sha512(); ++ } else if (sig_type == PHAR_SIG_OPENSSL_SHA256) { ++ mdtype = EVP_sha256(); ++ } else { ++ mdtype = EVP_sha1(); ++ } + #else + size_t tempsig; + #endif +@@ -1521,7 +1539,7 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type, + #ifndef PHAR_HAVE_OPENSSL + tempsig = sig_len; + +- if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, pubkey ? ZSTR_VAL(pubkey) : NULL, pubkey ? ZSTR_LEN(pubkey) : 0, &sig, &tempsig)) { ++ if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, pubkey ? ZSTR_VAL(pubkey) : NULL, pubkey ? ZSTR_LEN(pubkey) : 0, &sig, &tempsig, sig_type)) { + if (pubkey) { + zend_string_release_ex(pubkey, 0); + } +@@ -1815,6 +1833,8 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat + *signature_length = 32; + break; + } ++ case PHAR_SIG_OPENSSL_SHA512: ++ case PHAR_SIG_OPENSSL_SHA256: + case PHAR_SIG_OPENSSL: { + unsigned char *sigbuf; + #ifdef PHAR_HAVE_OPENSSL +@@ -1822,6 +1842,15 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat + BIO *in; + EVP_PKEY *key; + EVP_MD_CTX *md_ctx; ++ const EVP_MD *mdtype; ++ ++ if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA512) { ++ mdtype = EVP_sha512(); ++ } else if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA256) { ++ mdtype = EVP_sha256(); ++ } else { ++ mdtype = EVP_sha1(); ++ } + + in = BIO_new_mem_buf(PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len)); + +@@ -1847,7 +1876,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat + siglen = EVP_PKEY_size(key); + sigbuf = emalloc(siglen + 1); + +- if (!EVP_SignInit(md_ctx, EVP_sha1())) { ++ if (!EVP_SignInit(md_ctx, mdtype)) { + EVP_PKEY_free(key); + efree(sigbuf); + if (error) { +@@ -1885,7 +1914,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat + siglen = 0; + php_stream_seek(fp, 0, SEEK_END); + +- if (FAILURE == phar_call_openssl_signverify(1, fp, php_stream_tell(fp), PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len), (char **)&sigbuf, &siglen)) { ++ if (FAILURE == phar_call_openssl_signverify(1, fp, php_stream_tell(fp), PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len), (char **)&sigbuf, &siglen, phar->sig_flags)) { + if (error) { + spprintf(error, 0, "unable to write phar \"%s\" with requested openssl signature", phar->fname); + } diff --git a/php-8.0.10-snmp-sha.patch b/php-8.0.10-snmp-sha.patch new file mode 100644 index 0000000..3ef67ea --- /dev/null +++ b/php-8.0.10-snmp-sha.patch @@ -0,0 +1,143 @@ +Backported for 8.0 from + + +From 718e91343fddb8817a004f96f111c424843bf746 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Wed, 11 Aug 2021 13:02:18 +0200 +Subject: [PATCH] add SHA256 and SHA512 for security protocol + +--- + ext/snmp/config.m4 | 18 +++++++++- + ext/snmp/snmp.c | 33 ++++++++++++++++++- + .../tests/snmp-object-setSecurity_error.phpt | 2 +- + ext/snmp/tests/snmp3-error.phpt | 2 +- + 4 files changed, 51 insertions(+), 4 deletions(-) + +diff --git a/ext/snmp/config.m4 b/ext/snmp/config.m4 +index 1475ddfe2b7f0..f285a572de9cb 100644 +--- a/ext/snmp/config.m4 ++++ b/ext/snmp/config.m4 +@@ -30,7 +30,7 @@ if test "$PHP_SNMP" != "no"; then + AC_MSG_ERROR([Could not find the required paths. Please check your net-snmp installation.]) + fi + else +- AC_MSG_ERROR([Net-SNMP version 5.3 or greater reqired (detected $snmp_full_version).]) ++ AC_MSG_ERROR([Net-SNMP version 5.3 or greater required (detected $snmp_full_version).]) + fi + else + AC_MSG_ERROR([Could not find net-snmp-config binary. Please check your net-snmp installation.]) +@@ -54,6 +54,22 @@ if test "$PHP_SNMP" != "no"; then + $SNMP_SHARED_LIBADD + ]) + ++ dnl Check whether usmHMAC192SHA256AuthProtocol exists. ++ PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC192SHA256AuthProtocol, ++ [ ++ AC_DEFINE(HAVE_SNMP_SHA256, 1, [ ]) ++ ], [], [ ++ $SNMP_SHARED_LIBADD ++ ]) ++ ++ dnl Check whether usmHMAC384SHA512AuthProtocol exists. ++ PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC384SHA512AuthProtocol, ++ [ ++ AC_DEFINE(HAVE_SNMP_SHA512, 1, [ ]) ++ ], [], [ ++ $SNMP_SHARED_LIBADD ++ ]) ++ + PHP_NEW_EXTENSION(snmp, snmp.c, $ext_shared) + PHP_SUBST(SNMP_SHARED_LIBADD) + fi +diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c +index 69d6549405b17..f0917501751f5 100644 +--- a/ext/snmp/snmp.c ++++ b/ext/snmp/snmp.c +@@ -29,6 +29,7 @@ + #include "php_snmp.h" + + #include "zend_exceptions.h" ++#include "zend_smart_string.h" + #include "ext/spl/spl_exceptions.h" + #include "snmp_arginfo.h" + +@@ -938,16 +939,48 @@ static int netsnmp_session_set_auth_prot + if (!strcasecmp(prot, "MD5")) { + s->securityAuthProto = usmHMACMD5AuthProtocol; + s->securityAuthProtoLen = USM_AUTH_PROTO_MD5_LEN; +- } else ++ return true; ++ } + #endif ++ + if (!strcasecmp(prot, "SHA")) { + s->securityAuthProto = usmHMACSHA1AuthProtocol; + s->securityAuthProtoLen = USM_AUTH_PROTO_SHA_LEN; +- } else { +- zend_value_error("Authentication protocol must be either \"MD5\" or \"SHA\""); +- return (-1); ++ return true; + } +- return (0); ++ ++#ifdef HAVE_SNMP_SHA256 ++ if (!strcasecmp(prot, "SHA256")) { ++ s->securityAuthProto = usmHMAC192SHA256AuthProtocol; ++ s->securityAuthProtoLen = sizeof(usmHMAC192SHA256AuthProtocol) / sizeof(oid); ++ return true; ++ } ++#endif ++ ++#ifdef HAVE_SNMP_SHA512 ++ if (!strcasecmp(prot, "SHA512")) { ++ s->securityAuthProto = usmHMAC384SHA512AuthProtocol; ++ s->securityAuthProtoLen = sizeof(usmHMAC384SHA512AuthProtocol) / sizeof(oid); ++ return true; ++ } ++#endif ++ ++ smart_string err = {0}; ++ ++ smart_string_appends(&err, "Authentication protocol must be \"SHA\""); ++#ifdef HAVE_SNMP_SHA256 ++ smart_string_appends(&err, " or \"SHA256\""); ++#endif ++#ifdef HAVE_SNMP_SHA512 ++ smart_string_appends(&err, " or \"SHA512\""); ++#endif ++#ifndef DISABLE_MD5 ++ smart_string_appends(&err, " or \"MD5\""); ++#endif ++ smart_string_0(&err); ++ zend_value_error("%s", err.c); ++ smart_string_free(&err); ++ return false; + } + /* }}} */ + +diff --git a/ext/snmp/tests/snmp-object-setSecurity_error.phpt b/ext/snmp/tests/snmp-object-setSecurity_error.phpt +index f8de846492a75..cf4f928837773 100644 +--- a/ext/snmp/tests/snmp-object-setSecurity_error.phpt ++++ b/ext/snmp/tests/snmp-object-setSecurity_error.phpt +@@ -59,7 +59,7 @@ var_dump($session->close()); + --EXPECTF-- + Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" + Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" +-Authentication protocol must be either "MD5" or "SHA" ++Authentication protocol must be %s + + Warning: SNMP::setSecurity(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d + bool(false) +diff --git a/ext/snmp/tests/snmp3-error.phpt b/ext/snmp/tests/snmp3-error.phpt +index 849e363b45058..389800dad6b28 100644 +--- a/ext/snmp/tests/snmp3-error.phpt ++++ b/ext/snmp/tests/snmp3-error.phpt +@@ -58,7 +58,7 @@ try { + Checking error handling + Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" + Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" +-Authentication protocol must be either "MD5" or "SHA" ++Authentication protocol must be %s + + Warning: snmp3_get(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d + bool(false) diff --git a/php-8.0.10-systzdata-v21.patch b/php-8.0.10-systzdata-v21.patch new file mode 100644 index 0000000..779f538 --- /dev/null +++ b/php-8.0.10-systzdata-v21.patch @@ -0,0 +1,718 @@ +# License: MIT +# http://opensource.org/licenses/MIT + +Add support for use of the system timezone database, rather +than embedding a copy. Discussed upstream but was not desired. + +History: +r21: retrieve tzdata version from /usr/share/zoneinfo/tzdata.zi +r20: adapt for timelib 2020.03 (in 8.0.10RC1) +r19: adapt for timelib 2020.02 (in 8.0.0beta2) +r18: adapt for autotool change in 7.3.3RC1 +r17: adapt for timelib 2018.01 (in 7.3.2RC1) +r16: adapt for timelib 2017.06 (in 7.2.3RC1) +r15: adapt for timelib 2017.05beta7 (in 7.2.0RC1) +r14: improve check for valid tz file +r13: adapt for upstream changes to use PHP allocator +r12: adapt for upstream changes for new zic +r11: use canonical names to avoid more case sensitivity issues + round lat/long from zone.tab towards zero per builtin db +r10: make timezone case insensitive +r9: fix another compile error without --with-system-tzdata configured (Michael Heimpold) +r8: fix compile error without --with-system-tzdata configured +r7: improve check for valid timezone id to exclude directories +r6: fix fd leak in r5, fix country code/BC flag use in + timezone_identifiers_list() using system db, + fix use of PECL timezonedb to override system db, +r5: reverts addition of "System/Localtime" fake tzname. + updated for 5.3.0, parses zone.tab to pick up mapping between + timezone name, country code and long/lat coords +r4: added "System/Localtime" tzname which uses /etc/localtime +r3: fix a crash if /usr/share/zoneinfo doesn't exist (Raphael Geissert) +r2: add filesystem trawl to set up name alias index +r1: initial revision + +diff --git a/ext/date/config0.m4 b/ext/date/config0.m4 +index 20e4164aaa..a61243646d 100644 +--- a/ext/date/config0.m4 ++++ b/ext/date/config0.m4 +@@ -4,6 +4,19 @@ AC_CHECK_HEADERS([io.h]) + dnl Check for strtoll, atoll + AC_CHECK_FUNCS(strtoll atoll) + ++PHP_ARG_WITH(system-tzdata, for use of system timezone data, ++[ --with-system-tzdata[=DIR] to specify use of system timezone data], ++no, no) ++ ++if test "$PHP_SYSTEM_TZDATA" != "no"; then ++ AC_DEFINE(HAVE_SYSTEM_TZDATA, 1, [Define if system timezone data is used]) ++ ++ if test "$PHP_SYSTEM_TZDATA" != "yes"; then ++ AC_DEFINE_UNQUOTED(HAVE_SYSTEM_TZDATA_PREFIX, "$PHP_SYSTEM_TZDATA", ++ [Define for location of system timezone data]) ++ fi ++fi ++ + PHP_DATE_CFLAGS="-I@ext_builddir@/lib -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -DHAVE_TIMELIB_CONFIG_H=1" + timelib_sources="lib/astro.c lib/dow.c lib/parse_date.c lib/parse_tz.c + lib/timelib.c lib/tm2unixtime.c lib/unixtime2tm.c lib/parse_iso_intervals.c lib/interval.c" +diff --git a/ext/date/lib/parse_tz.c b/ext/date/lib/parse_tz.c +index e9bd0f136d..c04ff01adc 100644 +--- a/ext/date/lib/parse_tz.c ++++ b/ext/date/lib/parse_tz.c +@@ -26,8 +26,21 @@ + #include "timelib.h" + #include "timelib_private.h" + ++#ifdef HAVE_SYSTEM_TZDATA ++#include <sys/mman.h> ++#include <sys/stat.h> ++#include <limits.h> ++#include <fcntl.h> ++#include <unistd.h> ++ ++#include "php_scandir.h" ++ ++#else + #define TIMELIB_SUPPORTS_V2DATA + #include "timezonedb.h" ++#endif ++ ++#include <ctype.h> + + #if (defined(__APPLE__) || defined(__APPLE_CC__)) && (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__)) + # if defined(__LITTLE_ENDIAN__) +@@ -94,6 +107,11 @@ static int read_php_preamble(const unsigned char **tzf, timelib_tzinfo *tz) + { + uint32_t version; + ++ if (memcmp(*tzf, "TZif", 4) == 0) { ++ *tzf += 20; ++ return 0; ++ } ++ + /* read ID */ + version = (*tzf)[3] - '0'; + *tzf += 4; +@@ -435,7 +453,467 @@ void timelib_dump_tzinfo(timelib_tzinfo *tz) + } + } + +-static int seek_to_tz_position(const unsigned char **tzf, const char *timezone, const timelib_tzdb *tzdb) ++#ifdef HAVE_SYSTEM_TZDATA ++ ++#ifdef HAVE_SYSTEM_TZDATA_PREFIX ++#define ZONEINFO_PREFIX HAVE_SYSTEM_TZDATA_PREFIX ++#else ++#define ZONEINFO_PREFIX "/usr/share/zoneinfo" ++#endif ++ ++/* System timezone database pointer. */ ++static const timelib_tzdb *timezonedb_system; ++ ++/* Hash table entry for the cache of the zone.tab mapping table. */ ++struct location_info { ++ char code[2]; ++ double latitude, longitude; ++ char name[64]; ++ char *comment; ++ struct location_info *next; ++}; ++ ++/* Cache of zone.tab. */ ++static struct location_info **system_location_table; ++ ++/* Size of the zone.tab hash table; a random-ish prime big enough to ++ * prevent too many collisions. */ ++#define LOCINFO_HASH_SIZE (1021) ++ ++/* Compute a case insensitive hash of str */ ++static uint32_t tz_hash(const char *str) ++{ ++ const unsigned char *p = (const unsigned char *)str; ++ uint32_t hash = 5381; ++ int c; ++ ++ while ((c = tolower(*p++)) != '\0') { ++ hash = (hash << 5) ^ hash ^ c; ++ } ++ ++ return hash % LOCINFO_HASH_SIZE; ++} ++ ++/* Parse an ISO-6709 date as used in zone.tab. Returns end of the ++ * parsed string on success, or NULL on parse error. On success, ++ * writes the parsed number to *result. */ ++static char *parse_iso6709(char *p, double *result) ++{ ++ double v, sign; ++ char *pend; ++ size_t len; ++ ++ if (*p == '+') ++ sign = 1.0; ++ else if (*p == '-') ++ sign = -1.0; ++ else ++ return NULL; ++ ++ p++; ++ for (pend = p; *pend >= '0' && *pend <= '9'; pend++) ++ ;; ++ ++ /* Annoying encoding used by zone.tab has no decimal point, so use ++ * the length to determine the format: ++ * ++ * 4 = DDMM ++ * 5 = DDDMM ++ * 6 = DDMMSS ++ * 7 = DDDMMSS ++ */ ++ len = pend - p; ++ if (len < 4 || len > 7) { ++ return NULL; ++ } ++ ++ /* p => [D]DD */ ++ v = (p[0] - '0') * 10.0 + (p[1] - '0'); ++ p += 2; ++ if (len == 5 || len == 7) ++ v = v * 10.0 + (*p++ - '0'); ++ /* p => MM[SS] */ ++ v += (10.0 * (p[0] - '0') ++ + p[1] - '0') / 60.0; ++ p += 2; ++ /* p => [SS] */ ++ if (len > 5) { ++ v += (10.0 * (p[0] - '0') ++ + p[1] - '0') / 3600.0; ++ p += 2; ++ } ++ ++ /* Round to five decimal place, not because it's a good idea, ++ * but, because the builtin data uses rounded data, so, match ++ * that. */ ++ *result = trunc(v * sign * 100000.0) / 100000.0; ++ ++ return p; ++} ++ ++/* This function parses the zone.tab file to build up the mapping of ++ * timezone to country code and geographic location, and returns a ++ * hash table. The hash table is indexed by the function: ++ * ++ * tz_hash(timezone-name) ++ */ ++static struct location_info **create_location_table(void) ++{ ++ struct location_info **li, *i; ++ char zone_tab[PATH_MAX]; ++ char line[512]; ++ FILE *fp; ++ ++ strncpy(zone_tab, ZONEINFO_PREFIX "/zone.tab", sizeof zone_tab); ++ ++ fp = fopen(zone_tab, "r"); ++ if (!fp) { ++ return NULL; ++ } ++ ++ li = calloc(LOCINFO_HASH_SIZE, sizeof *li); ++ ++ while (fgets(line, sizeof line, fp)) { ++ char *p = line, *code, *name, *comment; ++ uint32_t hash; ++ double latitude, longitude; ++ ++ while (isspace(*p)) ++ p++; ++ ++ if (*p == '#' || *p == '\0' || *p == '\n') ++ continue; ++ ++ if (!isalpha(p[0]) || !isalpha(p[1]) || p[2] != '\t') ++ continue; ++ ++ /* code => AA */ ++ code = p; ++ p[2] = 0; ++ p += 3; ++ ++ /* coords => [+-][D]DDMM[SS][+-][D]DDMM[SS] */ ++ p = parse_iso6709(p, &latitude); ++ if (!p) { ++ continue; ++ } ++ p = parse_iso6709(p, &longitude); ++ if (!p) { ++ continue; ++ } ++ ++ if (!p || *p != '\t') { ++ continue; ++ } ++ ++ /* name = string */ ++ name = ++p; ++ while (*p != '\t' && *p && *p != '\n') ++ p++; ++ ++ *p++ = '\0'; ++ ++ /* comment = string */ ++ comment = p; ++ while (*p != '\t' && *p && *p != '\n') ++ p++; ++ ++ if (*p == '\n' || *p == '\t') ++ *p = '\0'; ++ ++ hash = tz_hash(name); ++ i = malloc(sizeof *i); ++ memcpy(i->code, code, 2); ++ strncpy(i->name, name, sizeof i->name); ++ i->comment = strdup(comment); ++ i->longitude = longitude; ++ i->latitude = latitude; ++ i->next = li[hash]; ++ li[hash] = i; ++ /* printf("%s [%u, %f, %f]\n", name, hash, latitude, longitude); */ ++ } ++ ++ fclose(fp); ++ ++ return li; ++} ++ ++/* Return location info from hash table, using given timezone name. ++ * Returns NULL if the name could not be found. */ ++const struct location_info *find_zone_info(struct location_info **li, ++ const char *name) ++{ ++ uint32_t hash = tz_hash(name); ++ const struct location_info *l; ++ ++ if (!li) { ++ return NULL; ++ } ++ ++ for (l = li[hash]; l; l = l->next) { ++ if (timelib_strcasecmp(l->name, name) == 0) ++ return l; ++ } ++ ++ return NULL; ++} ++ ++/* Filter out some non-tzdata files and the posix/right databases, if ++ * present. */ ++static int index_filter(const struct dirent *ent) ++{ ++ return strcmp(ent->d_name, ".") != 0 ++ && strcmp(ent->d_name, "..") != 0 ++ && strcmp(ent->d_name, "posix") != 0 ++ && strcmp(ent->d_name, "posixrules") != 0 ++ && strcmp(ent->d_name, "right") != 0 ++ && strstr(ent->d_name, ".list") == NULL ++ && strstr(ent->d_name, ".tab") == NULL; ++} ++ ++static int sysdbcmp(const void *first, const void *second) ++{ ++ const timelib_tzdb_index_entry *alpha = first, *beta = second; ++ ++ return timelib_strcasecmp(alpha->id, beta->id); ++} ++ ++ ++/* Retrieve tzdata version. */ ++static void retrieve_zone_version(timelib_tzdb *db) ++{ ++ static char buf[30]; ++ char path[PATH_MAX]; ++ FILE *fp; ++ ++ strncpy(path, ZONEINFO_PREFIX "/tzdata.zi", sizeof(path)); ++ ++ fp = fopen(path, "r"); ++ if (fp) { ++ if (fgets(buf, sizeof(buf), fp)) { ++ if (!memcmp(buf, "# version ", 10) && ++ isdigit(buf[10]) && ++ isdigit(buf[11]) && ++ isdigit(buf[12]) && ++ isdigit(buf[13]) && ++ islower(buf[14])) { ++ if (buf[14] >= 't') { /* 2022t = 2022.20 */ ++ buf[17] = 0; ++ buf[16] = buf[14] - 't' + '0'; ++ buf[15] = '2'; ++ } else if (buf[14] >= 'j') { /* 2022j = 2022.10 */ ++ buf[17] = 0; ++ buf[16] = buf[14] - 'j' + '0'; ++ buf[15] = '1'; ++ } else { /* 2022a = 2022.1 */ ++ buf[16] = 0; ++ buf[15] = buf[14] - 'a' + '1'; ++ } ++ buf[14] = '.'; ++ db->version = buf+10; ++ } ++ } ++ fclose(fp); ++ } ++} ++ ++/* Create the zone identifier index by trawling the filesystem. */ ++static void create_zone_index(timelib_tzdb *db) ++{ ++ size_t dirstack_size, dirstack_top; ++ size_t index_size, index_next; ++ timelib_tzdb_index_entry *db_index; ++ char **dirstack; ++ ++ /* LIFO stack to hold directory entries to scan; each slot is a ++ * directory name relative to the zoneinfo prefix. */ ++ dirstack_size = 32; ++ dirstack = malloc(dirstack_size * sizeof *dirstack); ++ dirstack_top = 1; ++ dirstack[0] = strdup(""); ++ ++ /* Index array. */ ++ index_size = 64; ++ db_index = malloc(index_size * sizeof *db_index); ++ index_next = 0; ++ ++ do { ++ struct dirent **ents; ++ char name[PATH_MAX], *top; ++ int count; ++ ++ /* Pop the top stack entry, and iterate through its contents. */ ++ top = dirstack[--dirstack_top]; ++ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s", top); ++ ++ count = php_scandir(name, &ents, index_filter, php_alphasort); ++ ++ while (count > 0) { ++ struct stat st; ++ const char *leaf = ents[count - 1]->d_name; ++ ++ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s/%s", ++ top, leaf); ++ ++ if (strlen(name) && stat(name, &st) == 0) { ++ /* Name, relative to the zoneinfo prefix. */ ++ const char *root = top; ++ ++ if (root[0] == '/') root++; ++ ++ snprintf(name, sizeof name, "%s%s%s", root, ++ *root ? "/": "", leaf); ++ ++ if (S_ISDIR(st.st_mode)) { ++ if (dirstack_top == dirstack_size) { ++ dirstack_size *= 2; ++ dirstack = realloc(dirstack, ++ dirstack_size * sizeof *dirstack); ++ } ++ dirstack[dirstack_top++] = strdup(name); ++ } ++ else { ++ if (index_next == index_size) { ++ index_size *= 2; ++ db_index = realloc(db_index, ++ index_size * sizeof *db_index); ++ } ++ ++ db_index[index_next++].id = strdup(name); ++ } ++ } ++ ++ free(ents[--count]); ++ } ++ ++ if (count != -1) free(ents); ++ free(top); ++ } while (dirstack_top); ++ ++ qsort(db_index, index_next, sizeof *db_index, sysdbcmp); ++ ++ db->index = db_index; ++ db->index_size = index_next; ++ ++ free(dirstack); ++} ++ ++#define FAKE_HEADER "1234\0??\1??" ++#define FAKE_UTC_POS (7 - 4) ++ ++/* Create a fake data segment for database 'sysdb'. */ ++static void fake_data_segment(timelib_tzdb *sysdb, ++ struct location_info **info) ++{ ++ size_t n; ++ char *data, *p; ++ ++ data = malloc(3 * sysdb->index_size + 7); ++ ++ p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1); ++ ++ for (n = 0; n < sysdb->index_size; n++) { ++ const struct location_info *li; ++ timelib_tzdb_index_entry *ent; ++ ++ ent = (timelib_tzdb_index_entry *)&sysdb->index[n]; ++ ++ /* Lookup the timezone name in the hash table. */ ++ if (strcmp(ent->id, "UTC") == 0) { ++ ent->pos = FAKE_UTC_POS; ++ continue; ++ } ++ ++ li = find_zone_info(info, ent->id); ++ if (li) { ++ /* If found, append the BC byte and the ++ * country code; set the position for this ++ * section of timezone data. */ ++ ent->pos = (p - data) - 4; ++ *p++ = '\1'; ++ *p++ = li->code[0]; ++ *p++ = li->code[1]; ++ } ++ else { ++ /* If not found, the timezone data can ++ * point at the header. */ ++ ent->pos = 0; ++ } ++ } ++ ++ sysdb->data = (unsigned char *)data; ++} ++ ++/* Returns true if the passed-in stat structure describes a ++ * probably-valid timezone file. */ ++static int is_valid_tzfile(const struct stat *st, int fd) ++{ ++ if (fd) { ++ char buf[20]; ++ if (read(fd, buf, 20)!=20) { ++ return 0; ++ } ++ lseek(fd, SEEK_SET, 0); ++ if (memcmp(buf, "TZif", 4)) { ++ return 0; ++ } ++ } ++ return S_ISREG(st->st_mode) && st->st_size > 20; ++} ++ ++/* To allow timezone names to be used case-insensitively, find the ++ * canonical name for this timezone, if possible. */ ++static const char *canonical_tzname(const char *timezone) ++{ ++ if (timezonedb_system) { ++ timelib_tzdb_index_entry *ent, lookup; ++ ++ lookup.id = (char *)timezone; ++ ++ ent = bsearch(&lookup, timezonedb_system->index, ++ timezonedb_system->index_size, sizeof lookup, ++ sysdbcmp); ++ if (ent) { ++ return ent->id; ++ } ++ } ++ ++ return timezone; ++} ++ ++/* Return the mmap()ed tzfile if found, else NULL. On success, the ++ * length of the mapped data is placed in *length. */ ++static char *map_tzfile(const char *timezone, size_t *length) ++{ ++ char fname[PATH_MAX]; ++ struct stat st; ++ char *p; ++ int fd; ++ ++ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { ++ return NULL; ++ } ++ ++ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); ++ ++ fd = open(fname, O_RDONLY); ++ if (fd == -1) { ++ return NULL; ++ } else if (fstat(fd, &st) != 0 || !is_valid_tzfile(&st, fd)) { ++ close(fd); ++ return NULL; ++ } ++ ++ *length = st.st_size; ++ p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); ++ close(fd); ++ ++ return p != MAP_FAILED ? p : NULL; ++} ++ ++#endif ++ ++static int inmem_seek_to_tz_position(const unsigned char **tzf, const char *timezone, const timelib_tzdb *tzdb) + { + int left = 0, right = tzdb->index_size - 1; + +@@ -461,9 +939,49 @@ static int seek_to_tz_position(const unsigned char **tzf, const char *timezone, + return 0; + } + ++static int seek_to_tz_position(const unsigned char **tzf, const char *timezone, ++ char **map, size_t *maplen, ++ const timelib_tzdb *tzdb) ++{ ++#ifdef HAVE_SYSTEM_TZDATA ++ if (tzdb == timezonedb_system) { ++ char *orig; ++ ++ orig = map_tzfile(timezone, maplen); ++ if (orig == NULL) { ++ return 0; ++ } ++ ++ (*tzf) = (unsigned char *)orig; ++ *map = orig; ++ return 1; ++ } ++ else ++#endif ++ { ++ return inmem_seek_to_tz_position(tzf, timezone, tzdb); ++ } ++} ++ + const timelib_tzdb *timelib_builtin_db(void) + { ++#ifdef HAVE_SYSTEM_TZDATA ++ if (timezonedb_system == NULL) { ++ timelib_tzdb *tmp = malloc(sizeof *tmp); ++ ++ tmp->version = "0.system"; ++ tmp->data = NULL; ++ create_zone_index(tmp); ++ retrieve_zone_version(tmp); ++ system_location_table = create_location_table(); ++ fake_data_segment(tmp, system_location_table); ++ timezonedb_system = tmp; ++ } ++ ++ return timezonedb_system; ++#else + return &timezonedb_builtin; ++#endif + } + + const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_tzdb *tzdb, int *count) +@@ -475,7 +993,30 @@ const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_ + int timelib_timezone_id_is_valid(const char *timezone, const timelib_tzdb *tzdb) + { + const unsigned char *tzf; +- return (seek_to_tz_position(&tzf, timezone, tzdb)); ++ ++#ifdef HAVE_SYSTEM_TZDATA ++ if (tzdb == timezonedb_system) { ++ char fname[PATH_MAX]; ++ struct stat st; ++ ++ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { ++ return 0; ++ } ++ ++ if (system_location_table) { ++ if (find_zone_info(system_location_table, timezone) != NULL) { ++ /* found in cache */ ++ return 1; ++ } ++ } ++ ++ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); ++ ++ return stat(fname, &st) == 0 && is_valid_tzfile(&st, 0); ++ } ++#endif ++ ++ return (inmem_seek_to_tz_position(&tzf, timezone, tzdb)); + } + + static int skip_64bit_preamble(const unsigned char **tzf, timelib_tzinfo *tz) +@@ -517,6 +1058,8 @@ static timelib_tzinfo* timelib_tzinfo_ctor(const char *name) + timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *tzdb, int *error_code) + { + const unsigned char *tzf; ++ char *memmap = NULL; ++ size_t maplen; + timelib_tzinfo *tmp; + int version; + int transitions_result, types_result; +@@ -524,7 +1067,7 @@ timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *t + + *error_code = TIMELIB_ERROR_NO_ERROR; + +- if (seek_to_tz_position(&tzf, timezone, tzdb)) { ++ if (seek_to_tz_position(&tzf, timezone, &memmap, &maplen, tzdb)) { + tmp = timelib_tzinfo_ctor(timezone); + + version = read_preamble(&tzf, tmp, &type); +@@ -563,11 +1106,36 @@ timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *t + } + skip_posix_string(&tzf, tmp); + ++#ifdef HAVE_SYSTEM_TZDATA ++ if (memmap) { ++ const struct location_info *li; ++ ++ /* TZif-style - grok the location info from the system database, ++ * if possible. */ ++ ++ if ((li = find_zone_info(system_location_table, timezone)) != NULL) { ++ tmp->location.comments = timelib_strdup(li->comment); ++ strncpy(tmp->location.country_code, li->code, 2); ++ tmp->location.longitude = li->longitude; ++ tmp->location.latitude = li->latitude; ++ tmp->bc = 1; ++ } ++ else { ++ set_default_location_and_comments(&tzf, tmp); ++ } ++ ++ /* Now done with the mmap segment - discard it. */ ++ munmap(memmap, maplen); ++ } else { ++#endif + if (type == TIMELIB_TZINFO_PHP) { + read_location(&tzf, tmp); + } else { + set_default_location_and_comments(&tzf, tmp); + } ++#ifdef HAVE_SYSTEM_TZDATA ++ } ++#endif + } else { + *error_code = TIMELIB_ERROR_NO_SUCH_TIMEZONE; + tmp = NULL; +diff --git a/ext/date/php_date.c b/ext/date/php_date.c +index 2d5cffb963..389f09f313 100644 +--- a/ext/date/php_date.c ++++ b/ext/date/php_date.c +@@ -457,7 +457,11 @@ PHP_MINFO_FUNCTION(date) + php_info_print_table_row(2, "date/time support", "enabled"); + php_info_print_table_row(2, "timelib version", TIMELIB_ASCII_VERSION); + php_info_print_table_row(2, "\"Olson\" Timezone Database Version", tzdb->version); ++#ifdef HAVE_SYSTEM_TZDATA ++ php_info_print_table_row(2, "Timezone Database", "system"); ++#else + php_info_print_table_row(2, "Timezone Database", php_date_global_timezone_db_enabled ? "external" : "internal"); ++#endif + php_info_print_table_row(2, "Default timezone", guess_timezone(tzdb)); + php_info_print_table_end(); + diff --git a/php-8.0.13-crypt.patch b/php-8.0.13-crypt.patch new file mode 100644 index 0000000..31a8c8a --- /dev/null +++ b/php-8.0.13-crypt.patch @@ -0,0 +1,45 @@ +From fc4e31467c352032ee709ac55d3c67bc22abcd8d Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Fri, 15 Oct 2021 17:11:12 +0200 +Subject: [PATCH] add --with-external-libcrypt build option display an error + message if some algo not available in external libcrypt + +--- + ext/standard/config.m4 | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/ext/standard/config.m4 b/ext/standard/config.m4 +index 58b9c5e658a4..3ec18be4d7df 100644 +--- a/ext/standard/config.m4 ++++ b/ext/standard/config.m4 +@@ -267,14 +267,25 @@ int main() { + ])]) + + ++PHP_ARG_WITH([external-libcrypt], ++ [for external libcrypt or libxcrypt], ++ [AS_HELP_STRING([--with-external-libcrypt], ++ [Use external libcrypt or libxcrypt])], ++ [no], ++ [no]) ++ + dnl + dnl If one of them is missing, use our own implementation, portable code is then possible + dnl +-dnl TODO This is currently always enabled +-if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "$ac_cv_crypt_md5" = "no" || test "$ac_cv_crypt_sha512" = "no" || test "$ac_cv_crypt_sha256" = "no" || test "$ac_cv_func_crypt_r" != "yes" || true; then +- AC_DEFINE_UNQUOTED(PHP_USE_PHP_CRYPT_R, 1, [Whether PHP has to use its own crypt_r for blowfish, des, ext des and md5]) +- +- PHP_ADD_SOURCES(PHP_EXT_DIR(standard), crypt_freesec.c crypt_blowfish.c crypt_sha512.c crypt_sha256.c php_crypt_r.c) ++dnl This is currently enabled by default ++if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "$ac_cv_crypt_md5" = "no" || test "$ac_cv_crypt_sha512" = "no" || test "$ac_cv_crypt_sha256" = "no" || test "$ac_cv_func_crypt_r" != "yes" || test "$PHP_EXTERNAL_LIBCRYPT" = "no"; then ++ if test "$PHP_EXTERNAL_LIBCRYPT" = "no"; then ++ AC_DEFINE_UNQUOTED(PHP_USE_PHP_CRYPT_R, 1, [Whether PHP has to use its own crypt_r for blowfish, des, ext des and md5]) ++ ++ PHP_ADD_SOURCES(PHP_EXT_DIR(standard), crypt_freesec.c crypt_blowfish.c crypt_sha512.c crypt_sha256.c php_crypt_r.c) ++ else ++ AC_MSG_ERROR([Cannot use external libcrypt as some algo are missing]) ++ fi + else + AC_DEFINE_UNQUOTED(PHP_USE_PHP_CRYPT_R, 0, [Whether PHP has to use its own crypt_r for blowfish, des and ext des]) + fi diff --git a/php-8.0.19-parser.patch b/php-8.0.19-parser.patch new file mode 100644 index 0000000..8a28e4d --- /dev/null +++ b/php-8.0.19-parser.patch @@ -0,0 +1,16 @@ +diff -up ./build/gen_stub.php.syslib ./build/gen_stub.php +--- ./build/gen_stub.php.syslib 2020-06-25 08:11:51.782046813 +0200 ++++ ./build/gen_stub.php 2020-06-25 08:13:11.188860368 +0200 +@@ -1075,6 +1075,12 @@ function initPhpParser() { + } + + $isInitialized = true; ++ ++ if (file_exists('/usr/share/php/PhpParser4/autoload.php')) { ++ require_once '/usr/share/php/PhpParser4/autoload.php'; ++ return; ++ } ++ + $version = "4.13.0"; + $phpParserDir = __DIR__ . "/PHP-Parser-$version"; + if (!is_dir($phpParserDir)) { diff --git a/php-8.0.6-deprecated.patch b/php-8.0.6-deprecated.patch new file mode 100644 index 0000000..1e6b93b --- /dev/null +++ b/php-8.0.6-deprecated.patch @@ -0,0 +1,400 @@ +From 4dc8b3c0efaae25b08c8f59b068f17c97c59d0ae Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Wed, 5 May 2021 15:41:00 +0200 +Subject: [PATCH] get rid of inet_aton and inet_ntoa use inet_ntop iand + inet_pton where available standardize buffer size + +--- + ext/sockets/sockaddr_conv.c | 4 ++++ + ext/sockets/sockets.c | 48 +++++++++++++++++++++++++------------ + ext/standard/dns.c | 16 ++++++++++++- + main/network.c | 20 ++++++++++++++-- + 4 files changed, 70 insertions(+), 18 deletions(-) + +diff --git a/ext/sockets/sockaddr_conv.c b/ext/sockets/sockaddr_conv.c +index 57996612d2d7e..65c8418fb3a6f 100644 +--- a/ext/sockets/sockaddr_conv.c ++++ b/ext/sockets/sockaddr_conv.c +@@ -87,7 +87,11 @@ int php_set_inet_addr(struct sockaddr_in *sin, char *string, php_socket *php_soc + struct in_addr tmp; + struct hostent *host_entry; + ++#ifdef HAVE_INET_PTON ++ if (inet_pton(AF_INET, string, &tmp)) { ++#else + if (inet_aton(string, &tmp)) { ++#endif + sin->sin_addr.s_addr = tmp.s_addr; + } else { + if (strlen(string) > MAXFQDNLEN || ! (host_entry = php_network_gethostbyname(string))) { +diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c +index 16ad3e8013a4c..85c938d1b97b1 100644 +--- a/ext/sockets/sockets.c ++++ b/ext/sockets/sockets.c +@@ -220,8 +220,10 @@ zend_module_entry sockets_module_entry = { + ZEND_GET_MODULE(sockets) + #endif + ++#ifndef HAVE_INET_NTOP + /* inet_ntop should be used instead of inet_ntoa */ + int inet_ntoa_lock = 0; ++#endif + + static int php_open_listen_sock(php_socket *sock, int port, int backlog) /* {{{ */ + { +@@ -1082,10 +1084,12 @@ PHP_FUNCTION(socket_getsockname) + struct sockaddr_in *sin; + #if HAVE_IPV6 + struct sockaddr_in6 *sin6; +- char addr6[INET6_ADDRSTRLEN+1]; ++#endif ++#ifdef HAVE_INET_NTOP ++ char addrbuf[INET6_ADDRSTRLEN]; + #endif + struct sockaddr_un *s_un; +- char *addr_string; ++ const char *addr_string; + socklen_t salen = sizeof(php_sockaddr_storage); + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oz|z", &arg1, socket_ce, &addr, &port) == FAILURE) { +@@ -1106,8 +1110,8 @@ PHP_FUNCTION(socket_getsockname) + #if HAVE_IPV6 + case AF_INET6: + sin6 = (struct sockaddr_in6 *) sa; +- inet_ntop(AF_INET6, &sin6->sin6_addr, addr6, INET6_ADDRSTRLEN); +- ZEND_TRY_ASSIGN_REF_STRING(addr, addr6); ++ inet_ntop(AF_INET6, &sin6->sin6_addr, addrbuf, sizeof(addrbuf)); ++ ZEND_TRY_ASSIGN_REF_STRING(addr, addrbuf); + + if (port != NULL) { + ZEND_TRY_ASSIGN_REF_LONG(port, htons(sin6->sin6_port)); +@@ -1117,11 +1121,14 @@ PHP_FUNCTION(socket_getsockname) + #endif + case AF_INET: + sin = (struct sockaddr_in *) sa; ++#ifdef HAVE_INET_NTOP ++ addr_string = inet_ntop(AF_INET, &sin->sin_addr, addrbuf, sizeof(addrbuf)); ++#else + while (inet_ntoa_lock == 1); + inet_ntoa_lock = 1; + addr_string = inet_ntoa(sin->sin_addr); + inet_ntoa_lock = 0; +- ++#endif + ZEND_TRY_ASSIGN_REF_STRING(addr, addr_string); + + if (port != NULL) { +@@ -1154,10 +1161,12 @@ PHP_FUNCTION(socket_getpeername) + struct sockaddr_in *sin; + #if HAVE_IPV6 + struct sockaddr_in6 *sin6; +- char addr6[INET6_ADDRSTRLEN+1]; ++#endif ++#ifdef HAVE_INET_NTOP ++ char addrbuf[INET6_ADDRSTRLEN]; + #endif + struct sockaddr_un *s_un; +- char *addr_string; ++ const char *addr_string; + socklen_t salen = sizeof(php_sockaddr_storage); + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oz|z", &arg1, socket_ce, &arg2, &arg3) == FAILURE) { +@@ -1178,9 +1187,9 @@ PHP_FUNCTION(socket_getpeername) + #if HAVE_IPV6 + case AF_INET6: + sin6 = (struct sockaddr_in6 *) sa; +- inet_ntop(AF_INET6, &sin6->sin6_addr, addr6, INET6_ADDRSTRLEN); ++ inet_ntop(AF_INET6, &sin6->sin6_addr, addrbuf, sizeof(addrbuf)); + +- ZEND_TRY_ASSIGN_REF_STRING(arg2, addr6); ++ ZEND_TRY_ASSIGN_REF_STRING(arg2, addrbuf); + + if (arg3 != NULL) { + ZEND_TRY_ASSIGN_REF_LONG(arg3, htons(sin6->sin6_port)); +@@ -1191,11 +1200,14 @@ PHP_FUNCTION(socket_getpeername) + #endif + case AF_INET: + sin = (struct sockaddr_in *) sa; ++#ifdef HAVE_INET_NTOP ++ addr_string = inet_ntop(AF_INET, &sin->sin_addr, addrbuf, sizeof(addrbuf)); ++#else + while (inet_ntoa_lock == 1); + inet_ntoa_lock = 1; + addr_string = inet_ntoa(sin->sin_addr); + inet_ntoa_lock = 0; +- ++#endif + ZEND_TRY_ASSIGN_REF_STRING(arg2, addr_string); + + if (arg3 != NULL) { +@@ -1527,12 +1539,14 @@ PHP_FUNCTION(socket_recvfrom) + struct sockaddr_in sin; + #if HAVE_IPV6 + struct sockaddr_in6 sin6; +- char addr6[INET6_ADDRSTRLEN]; ++#endif ++#ifdef HAVE_INET_NTOP ++ char addrbuf[INET6_ADDRSTRLEN]; + #endif + socklen_t slen; + int retval; + zend_long arg3, arg4; +- char *address; ++ const char *address; + zend_string *recv_buf; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "Ozllz|z", &arg1, socket_ce, &arg2, &arg3, &arg4, &arg5, &arg6) == FAILURE) { +@@ -1590,7 +1604,11 @@ PHP_FUNCTION(socket_recvfrom) + ZSTR_LEN(recv_buf) = retval; + ZSTR_VAL(recv_buf)[ZSTR_LEN(recv_buf)] = '\0'; + ++#ifdef HAVE_INET_NTOP ++ address = inet_ntop(AF_INET, &sin.sin_addr, addrbuf, sizeof(addrbuf)); ++#else + address = inet_ntoa(sin.sin_addr); ++#endif + + ZEND_TRY_ASSIGN_REF_NEW_STR(arg2, recv_buf); + ZEND_TRY_ASSIGN_REF_STRING(arg5, address ? address : "0.0.0.0"); +@@ -1617,11 +1635,11 @@ PHP_FUNCTION(socket_recvfrom) + ZSTR_LEN(recv_buf) = retval; + ZSTR_VAL(recv_buf)[ZSTR_LEN(recv_buf)] = '\0'; + +- memset(addr6, 0, INET6_ADDRSTRLEN); +- inet_ntop(AF_INET6, &sin6.sin6_addr, addr6, INET6_ADDRSTRLEN); ++ memset(addrbuf, 0, INET6_ADDRSTRLEN); ++ inet_ntop(AF_INET6, &sin6.sin6_addr, addrbuf, sizeof(addrbuf)); + + ZEND_TRY_ASSIGN_REF_NEW_STR(arg2, recv_buf); +- ZEND_TRY_ASSIGN_REF_STRING(arg5, addr6[0] ? addr6 : "::"); ++ ZEND_TRY_ASSIGN_REF_STRING(arg5, addrbuf[0] ? addrbuf : "::"); + ZEND_TRY_ASSIGN_REF_LONG(arg6, ntohs(sin6.sin6_port)); + break; + #endif +diff --git a/ext/standard/dns.c b/ext/standard/dns.c +index 41b98424edb60..6efdbbe894b46 100644 +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -228,6 +228,9 @@ PHP_FUNCTION(gethostbynamel) + struct hostent *hp; + struct in_addr in; + int i; ++#ifdef HAVE_INET_NTOP ++ char addr4[INET_ADDRSTRLEN]; ++#endif + + ZEND_PARSE_PARAMETERS_START(1, 1) + Z_PARAM_PATH(hostname, hostname_len) +@@ -255,7 +258,11 @@ PHP_FUNCTION(gethostbynamel) + } + + in = *h_addr_entry; ++#ifdef HAVE_INET_NTOP ++ add_next_index_string(return_value, inet_ntop(AF_INET, &in, addr4, INET_ADDRSTRLEN)); ++#else + add_next_index_string(return_value, inet_ntoa(in)); ++#endif + } + } + /* }}} */ +@@ -266,7 +273,10 @@ static zend_string *php_gethostbyname(char *name) + struct hostent *hp; + struct in_addr *h_addr_0; /* Don't call this h_addr, it's a macro! */ + struct in_addr in; +- char *address; ++#ifdef HAVE_INET_NTOP ++ char addr4[INET_ADDRSTRLEN]; ++#endif ++ const char *address; + + hp = php_network_gethostbyname(name); + if (!hp) { +@@ -281,7 +291,11 @@ static zend_string *php_gethostbyname(char *name) + + memcpy(&in.s_addr, h_addr_0, sizeof(in.s_addr)); + ++#ifdef HAVE_INET_NTOP ++ address = inet_ntop(AF_INET, &in, addr4, INET_ADDRSTRLEN); ++#else + address = inet_ntoa(in); ++#endif + return zend_string_init(address, strlen(address), 0); + } + /* }}} */ +diff --git a/main/network.c b/main/network.c +index 2c504952b2dd1..7f2f714ec42df 100644 +--- a/main/network.c ++++ b/main/network.c +@@ -236,8 +236,12 @@ PHPAPI int php_network_getaddresses(const char *host, int socktype, struct socka + } while ((sai = sai->ai_next) != NULL); + + freeaddrinfo(res); ++#else ++#ifdef HAVE_INET_PTON ++ if (!inet_pton(AF_INET, host, &in)) { + #else + if (!inet_aton(host, &in)) { ++#endif + if(strlen(host) > MAXFQDNLEN) { + host_info = NULL; + errno = E2BIG; +@@ -555,7 +559,11 @@ PHPAPI int php_network_parse_network_address_with_port(const char *addr, zend_lo + goto out; + } + #endif ++#ifdef HAVE_INET_PTON ++ if (inet_pton(AF_INET, tmp, &in4->sin_addr) > 0) { ++#else + if (inet_aton(tmp, &in4->sin_addr) > 0) { ++#endif + in4->sin_port = htons(port); + in4->sin_family = AF_INET; + *sl = sizeof(struct sockaddr_in); +@@ -617,15 +625,19 @@ PHPAPI void php_network_populate_name_from_sockaddr( + } + + if (textaddr) { +-#if HAVE_IPV6 && HAVE_INET_NTOP ++#ifdef HAVE_INET_NTOP + char abuf[256]; + #endif +- char *buf = NULL; ++ const char *buf = NULL; + + switch (sa->sa_family) { + case AF_INET: + /* generally not thread safe, but it *is* thread safe under win32 */ ++#ifdef HAVE_INET_NTOP ++ buf = inet_ntop(AF_INET, &((struct sockaddr_in*)sa)->sin_addr, (char *)&abuf, sizeof(abuf)); ++#else + buf = inet_ntoa(((struct sockaddr_in*)sa)->sin_addr); ++#endif + if (buf) { + *textaddr = strpprintf(0, "%s:%d", + buf, ntohs(((struct sockaddr_in*)sa)->sin_port)); +@@ -862,7 +874,11 @@ php_socket_t php_network_connect_socket_to_host(const char *host, unsigned short + + in4->sin_family = sa->sa_family; + in4->sin_port = htons(bindport); ++#ifdef HAVE_INET_PTON ++ if (!inet_pton(AF_INET, bindto, &in4->sin_addr)) { ++#else + if (!inet_aton(bindto, &in4->sin_addr)) { ++#endif + php_error_docref(NULL, E_WARNING, "Invalid IP Address: %s", bindto); + goto skip_bind; + } +From e5b6f43ec7813392d83ea586b7902e0396a1f792 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Thu, 6 May 2021 14:21:29 +0200 +Subject: [PATCH] get rid of inet_addr usage + +--- + main/fastcgi.c | 4 ++++ + sapi/litespeed/lsapilib.c | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/main/fastcgi.c b/main/fastcgi.c +index 071f69d3a7f0..c936d42405de 100644 +--- a/main/fastcgi.c ++++ b/main/fastcgi.c +@@ -688,8 +688,12 @@ int fcgi_listen(const char *path, int backlog) + if (!*host || !strncmp(host, "*", sizeof("*")-1)) { + sa.sa_inet.sin_addr.s_addr = htonl(INADDR_ANY); + } else { ++#ifdef HAVE_INET_PTON ++ if (!inet_pton(AF_INET, host, &sa.sa_inet.sin_addr)) { ++#else + sa.sa_inet.sin_addr.s_addr = inet_addr(host); + if (sa.sa_inet.sin_addr.s_addr == INADDR_NONE) { ++#endif + struct hostent *hep; + + if(strlen(host) > MAXFQDNLEN) { +diff --git a/sapi/litespeed/lsapilib.c b/sapi/litespeed/lsapilib.c +index a72b5dc1b988..305f3326a682 100644 +--- a/sapi/litespeed/lsapilib.c ++++ b/sapi/litespeed/lsapilib.c +@@ -2672,8 +2672,12 @@ int LSAPI_ParseSockAddr( const char * pBind, struct sockaddr * pAddr ) + ((struct sockaddr_in *)pAddr)->sin_addr.s_addr = htonl( INADDR_LOOPBACK ); + else + { ++#ifdef HAVE_INET_PTON ++ if (!inet_pton(AF_INET, p, &((struct sockaddr_in *)pAddr)->sin_addr)) ++#else + ((struct sockaddr_in *)pAddr)->sin_addr.s_addr = inet_addr( p ); + if ( ((struct sockaddr_in *)pAddr)->sin_addr.s_addr == INADDR_BROADCAST) ++#endif + { + doAddrInfo = 1; + } +From 99d67d121acd4c324738509679d23acaf759d065 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Thu, 6 May 2021 16:35:48 +0200 +Subject: [PATCH] use getnameinfo instead of gethostbyaddr + +--- + ext/standard/dns.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +diff --git a/ext/standard/dns.c b/ext/standard/dns.c +index edd9a4549f5c..540c777faaba 100644 +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -169,20 +169,30 @@ PHP_FUNCTION(gethostbyaddr) + static zend_string *php_gethostbyaddr(char *ip) + { + #if HAVE_IPV6 && HAVE_INET_PTON +- struct in6_addr addr6; +-#endif +- struct in_addr addr; +- struct hostent *hp; ++ struct sockaddr_in sa4; ++ struct sockaddr_in6 sa6; ++ char out[NI_MAXHOST]; + +-#if HAVE_IPV6 && HAVE_INET_PTON +- if (inet_pton(AF_INET6, ip, &addr6)) { +- hp = gethostbyaddr((char *) &addr6, sizeof(addr6), AF_INET6); +- } else if (inet_pton(AF_INET, ip, &addr)) { +- hp = gethostbyaddr((char *) &addr, sizeof(addr), AF_INET); +- } else { +- return NULL; ++ if (inet_pton(AF_INET6, ip, &sa6.sin6_addr)) { ++ sa6.sin6_family = AF_INET6; ++ ++ if (getnameinfo((struct sockaddr *)&sa6, sizeof(sa6), out, sizeof(out), NULL, 0, NI_NAMEREQD) < 0) { ++ return zend_string_init(ip, strlen(ip), 0); ++ } ++ return zend_string_init(out, strlen(out), 0); ++ } else if (inet_pton(AF_INET, ip, &sa4.sin_addr)) { ++ sa4.sin_family = AF_INET; ++ ++ if (getnameinfo((struct sockaddr *)&sa4, sizeof(sa4), out, sizeof(out), NULL, 0, NI_NAMEREQD) < 0) { ++ return zend_string_init(ip, strlen(ip), 0); ++ } ++ return zend_string_init(out, strlen(out), 0); + } ++ return NULL; /* not a valid IP */ + #else ++ struct in_addr addr; ++ struct hostent *hp; ++ + addr.s_addr = inet_addr(ip); + + if (addr.s_addr == -1) { +@@ -190,13 +200,13 @@ static zend_string *php_gethostbyaddr(char *ip) + } + + hp = gethostbyaddr((char *) &addr, sizeof(addr), AF_INET); +-#endif + + if (!hp || hp->h_name == NULL || hp->h_name[0] == '\0') { + return zend_string_init(ip, strlen(ip), 0); + } + + return zend_string_init(hp->h_name, strlen(hp->h_name), 0); ++#endif + } + /* }}} */ + diff --git a/php-8.0.7-argon2.patch b/php-8.0.7-argon2.patch new file mode 100644 index 0000000..88018de --- /dev/null +++ b/php-8.0.7-argon2.patch @@ -0,0 +1,15 @@ +diff --git a/ext/sodium/sodium_pwhash.c b/ext/sodium/sodium_pwhash.c +index e58a9514cc..86cc06cd91 100644 +--- a/ext/sodium/sodium_pwhash.c ++++ b/ext/sodium/sodium_pwhash.c +@@ -62,10 +62,6 @@ static inline int get_options(zend_array *options, size_t *memlimit, size_t *ops + return FAILURE; + } + } +- if ((opt = zend_hash_str_find(options, "threads", strlen("threads"))) && (zval_get_long(opt) != 1)) { +- zend_value_error("A thread value other than 1 is not supported by this implementation"); +- return FAILURE; +- } + return SUCCESS; + } + diff --git a/php-fpm-www.conf b/php-fpm-www.conf new file mode 100644 index 0000000..c001475 --- /dev/null +++ b/php-fpm-www.conf @@ -0,0 +1,438 @@ +; Start a new pool named 'www'. +; the variable $pool can be used in any directive and will be replaced by the +; pool name ('www' here) +[www] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or @php_fpm_prefix@) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +; RPM: apache user chosen to provide access to the same directories as httpd +user = apache +; RPM: Keep a group allowed to write in log dir. +group = apache + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = 127.0.0.1:9000 + +; Set listen(2) backlog. +; Default Value: 511 +;listen.backlog = 511 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. +; Default Values: user and group are set as the running user +; mode is set to 0660 +;listen.owner = nobody +;listen.group = nobody +;listen.mode = 0660 + +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = apache +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +listen.allowed_clients = 127.0.0.1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user +; or group is different than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 50 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 +pm.start_servers = 5 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 5 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 35 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +;pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following information: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: @EXPANDED_DATADIR@/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{milliseconds}d +; - %{mili}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some examples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +slowlog = /var/log/php-fpm/www-slow.log + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environment, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; execute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or @prefix@) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +php_admin_value[error_log] = /var/log/php-fpm/www-error.log +php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 128M + +; Set the following data paths to directories owned by the FPM process user. +; +; Do not change the ownership of existing system directories, if the process +; user does not have write permission, create dedicated directories for this +; purpose. +; +; See warning about choosing the location of these directories on your system +; at http://php.net/session.save-path +php_value[session.save_handler] = files +php_value[session.save_path] = /var/lib/php/session +php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache +;php_value[opcache.file_cache] = /var/lib/php/opcache diff --git a/php-fpm.conf b/php-fpm.conf new file mode 100644 index 0000000..53a07b6 --- /dev/null +++ b/php-fpm.conf @@ -0,0 +1,137 @@ +;;;;;;;;;;;;;;;;;;;;; +; FPM Configuration ; +;;;;;;;;;;;;;;;;;;;;; + +; All relative paths in this configuration file are relative to PHP's install +; prefix. + +; Include one or more files. If glob(3) exists, it is used to include a bunch of +; files from a glob(3) pattern. This directive can be used everywhere in the +; file. +include=/etc/php-fpm.d/*.conf + +;;;;;;;;;;;;;;;;;; +; Global Options ; +;;;;;;;;;;;;;;;;;; + +[global] +; Pid file +; Default Value: none +pid = /run/php-fpm/php-fpm.pid + +; Error log file +; If it's set to "syslog", log is sent to syslogd instead of being written +; in a local file. +; Default Value: /var/log/php-fpm.log +error_log = /var/log/php-fpm/error.log + +; syslog_facility is used to specify what type of program is logging the +; message. This lets syslogd specify that messages from different facilities +; will be handled differently. +; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) +; Default Value: daemon +;syslog.facility = daemon + +; syslog_ident is prepended to every message. If you have multiple FPM +; instances running on the same server, you can change the default value +; which must suit common needs. +; Default Value: php-fpm +;syslog.ident = php-fpm + +; Log level +; Possible Values: alert, error, warning, notice, debug +; Default Value: notice +;log_level = notice + +; Log limit on number of characters in the single line (log entry). If the +; line is over the limit, it is wrapped on multiple lines. The limit is for +; all logged characters including message prefix and suffix if present. However +; the new line character does not count into it as it is present only when +; logging to a file descriptor. It means the new line character is not present +; when logging to syslog. +; Default Value: 1024 +;log_limit = 4096 + +; Log buffering specifies if the log line is buffered which means that the +; line is written in a single write operation. If the value is false, then the +; data is written directly into the file descriptor. It is an experimental +; option that can potentionaly improve logging performance and memory usage +; for some heavy logging scenarios. This option is ignored if logging to syslog +; as it has to be always buffered. +; Default value: yes +;log_buffering = no + +; If this number of child processes exit with SIGSEGV or SIGBUS within the time +; interval set by emergency_restart_interval then FPM will restart. A value +; of '0' means 'Off'. +; Default Value: 0 +;emergency_restart_threshold = 0 + +; Interval of time used by emergency_restart_interval to determine when +; a graceful restart will be initiated. This can be useful to work around +; accidental corruptions in an accelerator's shared memory. +; Available Units: s(econds), m(inutes), h(ours), or d(ays) +; Default Unit: seconds +; Default Value: 0 +;emergency_restart_interval = 0 + +; Time limit for child processes to wait for a reaction on signals from master. +; Available units: s(econds), m(inutes), h(ours), or d(ays) +; Default Unit: seconds +; Default Value: 0 +;process_control_timeout = 0 + +; The maximum number of processes FPM will fork. This has been designed to control +; the global number of processes when using dynamic PM within a lot of pools. +; Use it with caution. +; Note: A value of 0 indicates no limit +; Default Value: 0 +;process.max = 128 + +; Specify the nice(2) priority to apply to the master process (only if set) +; The value can vary from -19 (highest priority) to 20 (lowest priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool process will inherit the master process priority +; unless specified otherwise +; Default Value: no set +;process.priority = -19 + +; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. +; Default Value: yes +daemonize = yes + +; Set open file descriptor rlimit for the master process. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit for the master process. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Specify the event mechanism FPM will use. The following is available: +; - select (any POSIX os) +; - poll (any POSIX os) +; - epoll (linux >= 2.5.44) +; Default Value: not set (auto detection) +;events.mechanism = epoll + +; When FPM is built with systemd integration, specify the interval, +; in seconds, between health report notification to systemd. +; Set to 0 to disable. +; Available Units: s(econds), m(inutes), h(ours) +; Default Unit: seconds +; Default value: 10 +;systemd_interval = 10 + +;;;;;;;;;;;;;;;;;;;; +; Pool Definitions ; +;;;;;;;;;;;;;;;;;;;; + +; Multiple pools of child processes may be started with different listening +; ports and different management options. The name of the pool will be +; used in logs and stats. There is no limitation on the number of pools which +; FPM can handle. Your system will tell you anyway :) + +; See /etc/php-fpm.d/*.conf + diff --git a/php-fpm.logrotate b/php-fpm.logrotate new file mode 100644 index 0000000..25f9feb --- /dev/null +++ b/php-fpm.logrotate @@ -0,0 +1,9 @@ +/var/log/php-fpm/*log { + missingok + notifempty + sharedscripts + delaycompress + postrotate + /bin/kill -SIGUSR1 `cat /run/php-fpm/php-fpm.pid 2>/dev/null` 2>/dev/null || true + endscript +} diff --git a/php-fpm.service b/php-fpm.service new file mode 100644 index 0000000..687dfc0 --- /dev/null +++ b/php-fpm.service @@ -0,0 +1,18 @@ +# It's not recommended to modify this file in-place, because it +# will be overwritten during upgrades. If you want to customize, +# the best way is to use the "systemctl edit" command. + +[Unit] +Description=The PHP FastCGI Process Manager +After=syslog.target network.target + +[Service] +Type=notify +EnvironmentFile=/etc/sysconfig/php-fpm +ExecStart=/usr/sbin/php-fpm --nodaemonize +ExecReload=/bin/kill -USR2 $MAINPID +PrivateTmp=true + +[Install] +WantedBy=multi-user.target + diff --git a/php-fpm.sysconfig b/php-fpm.sysconfig new file mode 100644 index 0000000..4099ed6 --- /dev/null +++ b/php-fpm.sysconfig @@ -0,0 +1,14 @@ +# Additional environment file for php-fpm + +# This file is deprecated when systemd is used and +# will be removed in the future + +# With systemd >= 204 you can simply drop a file with the +# suffix .conf in /etc/systemd/system/php-fpm.service.d, with +# [Service] +# Environment=FOO=bar + +# See systemd documentation. +# man systemd.unit +# man systemd.exec + diff --git a/php-fpm.wants b/php-fpm.wants new file mode 100644 index 0000000..5c7c8e4 --- /dev/null +++ b/php-fpm.wants @@ -0,0 +1,3 @@ +[Unit] +Wants=php-fpm.service + diff --git a/php-keyring.gpg b/php-keyring.gpg new file mode 100644 index 0000000..870d816 --- /dev/null +++ b/php-keyring.gpg @@ -0,0 +1,415 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFjxRtoBEADkS6+Q7afwYDPFnqJXuyF2ZIvXysDBrpr/xbre4jVeiC/HIELa +QedOJqO1V+BgnTRkfhor+Yq3mZ1un+6zJIiFcm5Kp7sPZjh15JF96PsA4e2Eh5eC +eJzjXHj1nAKXfn5+CgpYEyL30r1/ACkmo9TKIiUxIDZRkZvxjY4UKeo+EoJo0Viu +tV8mvSTgxaz9gzPhZ5OJR8zECT8j3T8d+tBD8wWxxmGZ0veOu/MBew1C/BDr8RqT +CXDywUbyNuSsdb3a5aLuIuLekSJVSCcFwPIje1WrX4FyC42+elOp0SXpjWzdb08N +XX4DEY8zVyVXI1ScSpTbslffcFkY60NJhjpP7t856L9vTLRfHIM9BIdSYH/ar5mE +Q0vyJbiNfkx5tIMnEmnIYbmnjjmcPZDKZ4PyQEUEWF3DqNOOAWhk9HUMFEkANkd1 +vEcNNQxgD2eOJM6egfUv9KtuAEcRX2iDu3gIyE+55x92VVoEJDu5M+Q6PYGUIMh7 +nz2gS3lnlpG2vquQpqDS9UogsZ8L4NsukdP2ixRFnD9qaTOemqRYwIptOX6wvrtR +7PmWOnnRZ5OcpK5/qyK9iCLY7bbHDViBoV0uLEHNPTDHjrALJrqS+dH1glYid/82 +OvKE3KREjRpMOW83nNfQcqkMi9fhH8WUkz6OD6JemvB/s/CwBS2w3+9LAQARAQAB +tB5TYXJhIEdvbGVtb24gPHBvbGxpdGFAcGhwLm5ldD6JAj4EEwECACgCGwMGCwkI +BwMCBhUIAgkKCwQWAgMBAh4BAheABQJY/TOeBQkNNFUtAAoJENvbOXRw0SFy1xYP +/jQeNv4WUPK3M0Hl3EvEnOeODxePysU0khvgnw/mRtQu7BOwRdbB0HWv8Kx0HXL7 +XI4l2myHRZbd9PrBlG4YFYjZqWmqQ9WGlLBxDpSJNeROpTgKjhxA2hOl1xH2Et5k +bRcZzpJJ9zuD3rqkq80S3u/UAB/QzYfJWKnQBTXi/3psZNAVTRp3/4sEn1kCfEnl +NUYPih/NqdXE0frlKeITOAmatD2cjYcJlc/ETLil8Sq1nIgiE/++KZalbcXcRSHV +ZSd/L+fNlMDIh6k9pjcE562oiyyMHKed/pAX7o1BqlKqSwxjQoNskpICVFkyMv+P +7cIPyOxJa8kaGyyHND+8i1GzvwcPhLYeOWDwmiXBs4Ea8Z7KWxhi19zlxMrEfAcf +FIomcRoxfzcnSY3FVJYIoEySK/IBiivqeunyeDA2JG1vLSZIV5hNicUihp4hnhX4 +Z1gElN+C68P49SZseFzxvzwMq5RIUbWVwIh2+Wj51/UrULgoM4qNkgejDLYFyTxb +LfXq+Tk91UXdpepBHvE9KFVqh4MbIlyx9TAzOizqLdZlnPRwLb3rWBLsv7XbCTeY +tp4jVU8Q35hnvGFy+GsSROJv04mJW+whyz+zxOEMPiVbVA5um3ZbSj5oou87M9Li +JtrUOqNfyyqddLC8L5LgwwlYKqP+W6Q4LMf/Whoj3FFCuQINBFjxRtoBEACk8wfJ +qP03Hz6PX8br3jEUllSngdD/28K2C4RVOOr71u4FJRcEMR98SbPnCNIUt4KdedO1 +DJpYac1XvIaVBbLxEcBjRMWNhBgZbxoQzPjFTWHQ/UwHZPiiwQkL55fN1ejBEacD +V8B1JwqjcBbii6zItLUV/gxGH7Jce/f7KBM7vWlaP+xHpmd+iPK1swK5wNQzDL83 +b7NPyj58fqlmh54Fr+jcpuUjynaYfjtJsgwc4CScdai7FclctLMg8Y8DW7/bkqf1 +BQy9Dik82IWSN4wgVM1eWSGx+PzPlshGH/C8B53U353NcRhjFp3zX31wQhsJrA7J +p+10S3HbXGrr3aVGMMq3dqSBGp38iKJUmJ3zyVvby5Mk4+8FFmMk3gVuQE52pW4E +OlSVQNQC8yzYsgaG/4N0M8DRpbfPhT5wiD/Qcb7MUXTE96dzs/KcyPJju/aq4cJ6 +DgpbJmM6OZwnx5HYwa58RgOwAVBbsxYOa6oS+Fj02eaiUETwfPHtqF9juCcM5D0m +cLZRT1I4zK60qPb6ZDzuFguXg8hm/djjh2YlDFCNKqCZHktCISTWX5u1cyF5j+UL +3fsKcAAcyiHZV9UH8tr6v0i0P19Uje2ZHk9utJggYSSM0uyqGhmiyd8su2FqitBl +tvTo00Kc8sv4AcDmCng8SVO0og1wiJZdiHJI7QARAQABiQIfBBgBAgAJBQJY8Uba +AhsMAAoJENvbOXRw0SFydu4QALeYG2PPMEOQtMV6jOVT51U0Yo0yl94RJoQCOCCT +/JkUyIDczHmtcVABrpitX3tFl4vacJM3uKWKbzbM7qO2+Hd0u6rxO+o8WUGRMZp5 +IgcbagDOHs0vorVN2Yo0Tl8RoqW91MCvlRFA+8snmKjWfTYj8jxbhIUEtVrIU+5L +DEgDP+T6PvpaVeXfLYItieCsZgib3qPz5mM49jDH84XG5F19kx0QtVGJs7n8FrcA +GcQl/iMrm7dRrRuh9394ongIum0uld287Zlg9q12iJiir3w04Npy43G12RXq9TD9 +aRfbMhQ+HB5Dnvf42mfCfGvalSE0rg9mh1KeaiQUXxCzCf1D6a3H50rh1IDn363W +n41/Hr0j4ntVjvEJxs9nUb8qod2HMOPLOFqwxck7ueGaeDN/GZ5zjPdIppYwE3Lb +CM1ZFLkV+QhFef4zXwml1/AnGGFULgGYorwGCchizhU1wbZVcoUF74MtprnAsuPd +Fxlw+4yCcFEeYVpMDQg/ZfZ28T1GruGHqLJqIVpOum48Ec+fjnHAZAH9dOs/qhBu +CLE+5xUoVyP2lwt0MaHs5SLmxRKhcV6IWRJKTlZ9YdDXbVv5LisL/qDOTjRj7vOg +CPRhklyA0JjFeyTDpSeAWXFZnab0nYBPWkxtdxxRruEeQPAYP1vl0O6ABMxRAI6o +6zIImQINBFklYukBEAC9tCSjnoNs3ucOA9RPfKcuK87JD9jdet2UUsw4DHd/Hwmr +t3T7WKoH1GwRp+ue5+vzXqdFRZ4gG+7tgvUsOtNb5rh22bTBsUIeGsvm/omJntXC +FQhYcfjtk04p3qtgJ5PGjZahCRYg4aQ2tGp2Mb8auFuFPsHtOHLWQCL7vQShsN9m +EkEzAQZnn9QYL+IvTQVSKsRy8XcHYZVk2uT2xQY2LvkAucWF0TrjU2LJ2IFdepc0 ++jz1xasBR0afT9YccHpQH5w8yOW+9o/n7BiMHfgT0sBMdKCfKVoQrQe0CsFnqc/+ +V4NsnHkyUrbfKiIFm+NOupIMpL6/A+Iky5YpjIIUHPuVL6VAY6wm463WI8FPk+Nt +Gekm9jqISxirkYWsIEoZtCrycC8N0iUbGq8eLYdC9ewU5dagCdLGwnDvYjOvzH15 +6LTiE/Svrq2q0kBDAa7CTGRlT+2sgD89ol73QtAVUJst99lVHMmIL1cV4HUpvOlT +JHRdsN6VhlPrw6ue+2vmYsF86bYni6vMH6KJnmiWa1wijYO0wiSphtTXAa0HE/HT +V+hSb9bCRbyipwdqkEeaj8sKcx9+XyNxVOlUfo8pQZnLRTd61Fvj+sSTSEbo95a5 +gi0WDnyNtiafKEvLxal7VyatbAcCEcLDYAVHffNLg4fm4H35HN0YQpUt+SuVwQAR +AQABtBpSZW1pIENvbGxldCA8cmVtaUBwaHAubmV0PokCPgQTAQIAKAUCWSVi6QIb +AwUJDShogAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ3J/40+5a8n9OJQ/9 +HtuZ4BMPMDFGVPUZ9DP0d74DF/QcT0V101TrdIZ92R4up56Dv40djjQZc2W9BmpP +VFr/v6qdjapdPH5vvmatnQDz/nIOfo1iwPWGzvmKnbDBQ4qJX7Jd6PdD/YorcD+0 +tOQNKLIGE9ZFQnS80iz9iaTGzvQKEQKEMugQSf3kG3NBEGqKQBsTTrBQOUJ3g8w6 +id2/qJtrDRbL9TuCU77Dpx9HUAnjj/Ixlvd4RQDa/BCYzGYJlCyTsaVW3qc7DIh/ +pRadqtswghSETtl6SSo9yHtoYOGTxXO6UikLEE8miOlaOPQrC9hCD+LSGc5QhNLB +EKes0l79w9kw9qZ9Xfh4pw/hf1N4O3kPHyUg0q9QaX1XKtigjTUcpdf2Kq8LtlB6 +0p40eZE2dV3T11X+rcn33pFSXMeTJeaNKHXoeGcva/gyZVtvi8iJhqtw9QOUkxRD +vGB+FEUId3Z1yAu7ZAz6qiUCgxK/VJ6/kBb+YYR8K4FHLmNOd5KoiTerKQu423uu +MYlYfBHpVZ9YuEJQnTEpizFEeOgaixx5RDLnoPsd/x59VS9eaaKotTPbW/rEp7Sv +bKj0dR5WMfGyd/OJrcWVZy8/Kh5Mc/4KOHD+JGAp0bE113TkEEoTZ8gNHFdLdv52 +V9eXUkeT5IxyThZBkUy6palDM8A5vaf6Eet8xOLy9XG5Ag0EWSVi6QEQAKujAODv +sdbt5n1dO29Nj5htbmt6M2A7eOjt7yUj4UMtBaGOA08O0DVA8MJkvepMq9AJBXHZ +Mi9Dycw3rxBHQDqHJJMwghu3RoQw1y5Wym7LiLhoWSU/wK0BrKOULBwh+kS6udKA +4oWrV/gr0JGmfdL8dZjBF10kHCfCcjcjWtmIp2GRaoOKTlHCviNmRxzyqba7zE0Z +c2maQ/4w98BI83GqD1bT8gF/5qwSI1hecBwt9oS7EbZ1ZiE8SSE8Gr6OR3p5UNHb +zqxUWy8W4r3qulCLc6g1LPXP1V59cMxX9jQJ7lSdv0k8C6Lb6t9Wm8G63hNYgRCA +mNW5EnqieTrx45K9vqoqfQK6Apfy0UoOquiuK7QClT3wBd7kmyKsCfV0bwRA/fV/ +sC1Rniu8PV7CRk9ryudUXycKq33pSkrOfZjFIQhCqdJkVc2MPbAuj2pOMutKwGKR +q/Mt3O8nEfGqWaJPa36C6dhlPqjEGTIEk5P493DzM7fj5VVIWyUrI8Vm9FslSvzI +LcONHMtKtRs2cRYA085NKDXGN7i5Am7L7ZONfqVs3V493ICwmALzeSULNLiMtX+E +SQfdWCS3Hosnjbc6INDg9BRhFt5MEWJ/qchM3g4NQuukqtOYsiEUw8bCzepwJxXp +lvNYu0yQDxvP+0RzjMozruVz3VoHeyf6rSWvABEBAAGJAiUEGAECAA8FAlklYukC +GwwFCQ0oaIAACgkQ3J/40+5a8n/8gg//a75gXQ4csiDUTsUndb94EXqraffmMcT5 +oCzfcP+Mecbuv3G8oQZeLRchsW2i4QecnvPwrXAJcF8kJuN/KZLyeh21PWBy55wo +/2nbwOvQockXpK5yVeuc3DmdTaxDnW9u3QpSwbvkEyoCpeHH6rZ1wjqn8Qi1k7nj +C4qgXpRrLQdRsS5ULXpf3IM+vaxbQ5avVnNRu5zMA6M/0reL0RSjgMfnk+3AwLCt +uMiy1aStCe8V7Y60/oauk+IZA1VJlSz2n3675YD7TkTZKkYIYZHTBw3ZPVJo08jd +RUXtGJjpOyyWVjP7GMKvZuQVWqcFyc8QHHaIPDLkdi7B9YFPWqfwJPBfUXcdzjAX +I7N4XsSEeMm8S8SC4FKCidioP/A+bamKcONHUuZ+AztvLh24ZTkqzA/sRRYpbMGU +QzpcDbastuXG66s3e9pJa0R14011A4bofy6Ureh9q6TQNOkNegUUdjbGSd1bfNId +QXRH0+LBV1oaY//v+aBjswy4hJ5oXmQj5jQKFitRCP9jzueyDdMJZ0j0Hhh4ItCz +FV5zIKtWiy7pRp1DXq9LjoyWeeLfKu+HrEGjMwyTGJiMjcL7oCHeiV/a+fY92wpU +rY1/mRVLqKqDIA6/iEL2DVf21U7rXY26xxvf4QFImZaYLwKQYLe8TOOjDA/I9bR1 +JJmh54yw10CZAg0EYIdBNgEQALohT1pcSlW4sk0DNfAvur1W3U+TEkevuQnKdSD/ +chKs50nLYRuiVrsZsR28tnr2j41uwvm+Y6ZPYAPSkQZ8yAT0pYnXbaIR83iGtZOH +P6wdxV39Mpf0T3yD4dOmgka1hynqNjEbRhE/t2fXNKf0JrBUmkyyhLYbQlkH+raU +gQug9EsyOJxEMER9qZM+Le/JiK5/i+8JxhjPcAQxiKu3l/usGtU6zcVUGjMSqs3Z +89Fa8WBOeGxDwwSKrn8MyyfEWrbCCF4Ao8gBeFmIkWgoeyumIAA0SYZkFjaltbTm +sFjVmYmmLXIKtKTnzZx0+jYJr42s0Q8n2ymgSKcC0Cmn+iuKslhuMpWJaqaHuZhj +K/80BArAYETW6ne1IZWPSsobd/2x4u9iwCkd/SWERA3/KnML6lgOVJfNbFxDxuJ+ +LFvpe6VoSAHlc4fC6+lMroeg011kzjgWX4H94Bdp5svpWHQ/UQ3/YMGvgUY1vy+V +d28bGzuslsnz5o2Zh40h2Dmpti5s2w7Z9TvLD2RMM1N6PrdCXVrQx3bB9nN7x1nL +osn+0v/8gfck93SO9PXLQtUgqhhWsh+/TrOiVWmWqLvbN95zWSnDRVHp1P8vKEGX +I26aokxEd1mVfilQKnHv2k6ieMc1M26GM48uXNqLSihYG2WgNl80agVFU00m/+Ea +9Uz7ABEBAAG0G0JlbiBSYW1zZXkgPHJhbXNleUBwaHAubmV0PokCVAQTAQgAPhYh +BDm2QTQ9jBBLKxRtw/nDncC5aYVEBQJgh0E2AhsDBQkGvxrvBQsJCAcCBhUKCQgL +AgQWAgMBAh4BAheAAAoJEPnDncC5aYVEzJYQAI72cCn9qEq/tRB9n9t02CPgFtLJ +VFBIJIfWeCRLQsv2vmqWGa9ehqsPT3jd0yTqNsV2hRTkzvNnrbIQUtHbRAm2pNz4 +74ClcIHuqbdk7gwfyEHw2vWpEtiVTHbJA1aqQypBrCjdfJt0s65wg4HSpodSelJO +A0shWBhBhSgU4kUvxJKPTcF1UM5iAjmm8OVIQLUeZDLFMJV6FAHmOG0JmvGMhPp1 +Hd3YdNgyyhlF1Jrqx/MK+eRBXbXSAMRSmBuUcV5p16bkt1CQ/vU5Nwi3B2HFpsva +5j6/9NZr4V5q8i2De4CyIpXj31fsKjfgs3k2ShIDUh6rvxyhkCHq1jqc5vYSltnF +9bIEht/Mn383LUoL+vBejY/UIRKShTt6eK6lcnAxa/ujb4nNvoP+UGHCsTRcNK+t +oujDxSYF1nI0zHGKCmNRmEyjW6Kp4eNspoNkm8dAwGaEvgvVNM5Jo5zAI/i4jBO1 +4lG7qTVhH1rVUFOUDKM+HMD6AdiOSp2dXXmY5Xa4OMJ8qWbPEUQP/qzFdceQL/Yj +mzTQOaorhAdB/2ULPiB0XhSJpuz3HSe0Juz8sBVCpabAQHk8++ydOfWRb7hR1oxS +6qJi2TIlT5vOR6X8v4kccxmvoQQbnSdVUTHSgbp/ifVFITek8Rbe9aNRnu4i+NOk +KgA3swgzlkJcKfDGuQINBGCHQTYBEADY0/Oat2b8EDcNSKPJNdyrQlDQ+N2fyTbq +1XPThTe5f3nRT1jepYqfsi/i4/6rza2AMvyxPO7AQSsHYlBYHxccqCH2Q90jCTu7 +iUJyU65Kx3aZC3U7VE4+jl81W5/b5qqjvZNRxLgDZDnvO7hBFh7b+jj7x1ABsHdw +q+zXjmg2mJCBsD4ba5jQaPr+nirvhr/Y744mGpaVWRlg7d/LhL73GRy546DgCVej +gd56vMsi2HBy2BKtjxIr2nd2yJn12+A5yenuagOVpye8F5Dy7ULFJ6iYe1/NpoVn +yipv3m0hE4C0x1vIw8tiXR85cb0aGuYgjOgEyLCE9INmMQ0ZZd1JqZwK2IyWiy0n +DNVJXqkzc3YjYZcrYiBb8dV7kvAf0E+UniIYTYtBU2rOWBM3aTT47Jh6ftss/tQ4 +e0HLeHZpvpWwJtkPHb1jGD/08icZH4XyVxIlEMhziuAZdBDTr7v7xSmqPrw49afW +iXfROV01j94tFdvF48wDOIb3qIBBbsNddqMvHPTShq2wMHlnylVFM/0CJn/yxezB +cuQfRVWeHg7lbzSt0HD29fBz7MlxoOSesmJCN+swoSy4nZ1nhWNHEaRh32Vn2H2q +4ya0rZFEHk2fS6WWBMTh7cjinmklQVxAhB99d+EYCZ4SHu74Ats4LvAsdJwe5I9b +lOIrYecwNwARAQABiQI8BBgBCAAmFiEEObZBND2MEEsrFG3D+cOdwLlphUQFAmCH +QTYCGwwFCQa/Gu8ACgkQ+cOdwLlphUQt+Q/+PWBVFPl05+TbJBF+1yyFXeH3VFjd +zwwKX+z5FgFcuO/ux4Tyef9nVUboiI9zCwEliczljyho+++Utzb2yG7sPwwsls9L +eOA3eb4y9pTsjqEfu7jGIbtIIUGqPtet7x4m5Og38qyXnAFUaJz6JJiFqbhekeNk +SPK/mIfySxkeHBCiyIuvWiAQYFzBYN6DsOKEjjW0HzayKoofKE6fTomaKvUNLs5e +gyvpuJQA+jtF/UFMWHXwE1UF+CsYCmBRR8uVffYzKt1PAJV3HKhRgcrvUudxoMNs +Ifl8VFlQeC6S0L3ZK/yyYW2hFyjpLEYwrIbSDRXzZyekhC12d5MRVpo+xqMhoZGY +iSkFHDfvedjh7htEvjLEDPtolbzZTbdrCFTNnKbTkVAV7z6Sx2AaBX6tCPXycqRe +I1nB1HqGFLOW9zT4a7FaDAy0o8glTx8ERPjbIBy9R1hIIB5ewyAAP1feG5Xfuj6q +Vm7IlELvft1kGvB0gm9k3X+hnbwIVzzgvGuMvl5+NumrD8VcoJ7UvjsFDRsvpHIJ +7zL2rEp4XZ8QwvqOSuYfbxWSTJoW5psyyHurBC4ZF67YFDLB0PiK/CyB4VxYHe79 +GU5ykN+r8SR1eavNndhUFo94I3QQ+999x0DvOhS54Uj4kKidZuZ70yDeh7761wO8 +wqWvQdQZUVULCQWZAg0EYGWinQEQAMQJ6RQqrrZgYJ6SIfzJPsC3zFd00C/UxLQo +aaiAQHEPnEQgjnAPqkvspSE7MpmyAohbUzXVnDO+ycxznIkLz0yYjs/m1qVB6hTM +w/PlD10ELoA6m3om/2E1vQQI78U3w3evBgVlGLzBIXWKLX7ZsBSm4xoPmD9mmisM +sM0xhqQzVuGm0I81gvKkIlWHPB+TqUWBpvDwmIdCRuGis7810OBKaMmTQ/rdhg1T +YZInZPfjeuW+oZ8Lqs4w3cfmyuDbbKQN8b1Qd2d9lJwkudI6KhIyH7uU0F1GeHIg +i9hZJZZcnlDiqtcHZ5YYEUHEzD6rPAL0LoUFpS6dP4DFch8R4oBpW8XTjg2BzfwZ +RCv1IuIgd6HhEUcuWj5QGMi6huCF/2WVDEoGs/K32Kyh+1Jg4OOOpuLP0/YqvsRO +AMbdY80xppR2yMMtpTJPhs5aCykZ8ffHKEsh4VGvi+xFIwuOGElqXoALFPas8N+D +5jXnJQR1/2zekei9YiM6jDXps0SIChBL6vG05cua6X5K+71YHHlDoUubb+tjiIHy +FYtzEe1PPMiLl6XtAdqllLqUQvy+McHgdqNOIU+FxbWDWjDtZ5hlDdZ+sIlz3esG +wl/zQQMdRdTsjcNuElOdl2pMmLlA8CvhJM+IkHVsIHponLtBqN0Ibrw+Sh1kX0sE +cjkfrDSJABEBAAG0KFBhdHJpY2sgQWxsYWVydCA8cGF0cmlja2FsbGFlcnRAcGhw +Lm5ldD6JAmUEEwEIADgWIQTx9pIjj7wWZuWlzNQZn53+9v+6/QUCYGWinQIbAwUL +CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAhCRAZn53+9v+6/RYhBPH2kiOPvBZm5aXM +1Bmfnf72/7r9wugQAJuMXAsnTk2m4Esda1R66IaOx3hms49hTtoJ3XTkOP0z/Y89 +66mJ0Zp/tjhof74jRwN+Eo9R0Vc4WpuXdL6ZaOm6alc4hYsT+13bO1hNEXFP70OF +3sithHac8wShdeutBdXGW/DcR8m7CXOsNWdQAlbYnCb3gt2zTp4DTrxmYVP4YptB +sQBQtaTqHlO0K0UGoHEkqk5PbbOeuUvvBAyeSEvislOxeSCQakBXFVROKojd90Qb +i6XFlNvZWzPgBHsrVRKuopgiNqfNAKz/n5ruhZcI4SKdni7zmv9CLiBO8P/qqzta +9Wv52z669MgPRMfODJr7Q9pG6AZCAm99oKCUStX/adKGBnfu0mx/v0bIyK7YSWp/ +8l4ioiulBs04xeZ1S9T6nMEGry8k2qlErcGI59DAR08aOAbKs/42W70Eoxepx8pw +S8KSyCfTCuF78bDdxXv3uutYb+A1AiHspu+esjJscgcXNRPYruQFBDUQ0aUzVrns +bePX6i1ZXYkPUTSRs6Hu9K8sJQ+mr5dTEae28szDxfN9mPqlNGbsKc21CsXwOJhU +IgU6a32gtZ7xq4g/A9DYHY1jSPhKi2q5JMbckQ2qzrl17zXhVISEcPTebQ0Qcu3Y +S24+k/mAqIGCrlSnFtLOf6MPTtL8JpeW9fiuys2spb/pHhqmlCevbda8CUtLuQIN +BGBlop0BEADLZJnHlI7dfEQ+thWKLLdLpd0MZBOugCqWjYdUfL89OY60W2C3Lrzg +fewjiNLxBzwvqmgEYyQURtlV7o04LJVtyO1B2b7ZQYQoC6gu+KV5z+8w1EOs6G+M +INda/QydjQk8ymChggGdHtWtGzTZ5K1js+e8wJgkF00n9YCxkkz+jJCK1L7w73vt +YvS0qYea1UVxmGG+cBsfQ9GbweRl6TvSjlmLtl7m6h1cpGDQrnyyp/yrfONLby1t +Q32lMhfH09XAPHpJWCfhv9dovgHHtb4Kroaj82UAZz2Je2Rn7SJiACLvezWEFTZM +WClntlHqHIVtmasntzhzzgK6E1IH67DgWR3m82noLpmbYlHAOLmNBsOYRGdfOQG2 +8L25P3HrWV9APikwdPHg4/0tKLgNzhB6yO6dj5Hs/YRsJD0Jn9X+cCNasP5VTLOF +sZD4J1i8jT8brlf/f367qOte3aFAPQq7OFYPvpFY/c0J0D6eb3FHCxfejVQL4YV4 +bg3HOUGynUeBGwHgyQJw/LY0LdCejokylQZr7Dj8H4l3b6x85UhJSKRoIin+c8aX +iI7/2CJbFDAIv3sovyMsAhS+GyntxIpYmoAl0jrqRCr6CWCaFl1Tjh3xrJ+pRCSk +TVq9OASHUqAb532B3Tt+DJzwrlf4qtQDFz7o7lPGXMnxYLW/KEa7QQARAQABiQJN +BBgBCAAgFiEE8faSI4+8FmblpczUGZ+d/vb/uv0FAmBlop0CGwwAIQkQGZ+d/vb/ +uv0WIQTx9pIjj7wWZuWlzNQZn53+9v+6/ccvD/0RXb7doLc6YilekZcEqtvvCrgo +/ZDbda1tjRbpQGyLy9J9whIdD7G7lSoGILSd8U18gCL7PZq96tGq75CDy89u0vI+ +IQ1WemRlfrBZb5qkSOGO2Yr/VYVxxjZbtYiM44aJyrehhA3MCvwzyP27iclH7N0X +sXgJOF1p3AVEfuXHhAVSbR3tkLPe7osXKyDUgUCuvJIPLSglCqPHsm95Xch8PpUX +JRemPpFnsPIlqDKu/vfIrDMZtnEFBog/afjA6sqmC8X2BTKF6Tiv8KKy0divkwsm +dAq+We0vkkIMq1PMc2UkDLv8DujpF4TXMvBXO3AWoKPDNt6L7zMUdymto5TIIA9W +sIbn+aGTfbfSflJlhlzJ53nyzl/x9ukFabwp7jjF6Vyh7KYMQE6ob16JWTo+AZY3 +mvKoUXw6jwGonaBjNkuR9Em/IyjXDx0tiKKaNPdVh8Tg8pcGNt3ssroEKWqLrUjW +lrso/+QPeH2Gl5+NjQYSIcQOcYo/MGuiikA9GJu088+IgJ8bmTiFgMuq/ZLAuQ6g +kpZBQXAN2hVIkV6H5IJwp8lbyf8GG0qBCk9Va03+PZjhZLu/fb9EzVmhyX95cENY +NUE7QXQplsJZqchsBbjgQE38DWiZKT7uyRhZUCUD3h9ZIsYo63NrQNoA+xkz9tub ++4cXQV6iJi/GqeBTcpkCDQRc/6jxARAA6399os7LWW0t8VwhEmjSj+1L14Ryh81Q +PEM15P1DrUXagxeLu7FGmecm7r3/0CA3m6szhpIv9qZ8ifk1KZPYkKQUeFxJvfrt +RfcfDew1Ynp4ansl4+jARv06GdOwkG7EiyVktSPyf0hGqLayeQhmqDl2cxPJuPO8 +JOSDISgk33rU94/QBWA2RRLSJtB3MZupY9Z6RvYMswyRbcYKWQlqZ09iZ4IDqeeO +pl/YuIWECl/99bpEEoqFD9tNlpaY+mDy2ihT6RWe+4uefbSWfFEjxpGd+x1ccCKK +qViYggEl0bw+S60RaS+5xEOG9wnuRrVRnVe9EbTYw2+xMdDsBaFl0qvLPY/66Bfe +D+iZpA/dN2BrsOLLWk7CJ9yCgoHxL185GMLbQNy687bCeVUGDIBF56OKzGBA7bJi +W6Z+XVkVX16li908TBnLy6DItYIqYFmSgGCAYviAmsq1v/dVOddpdAzDW4RfH5Fr +BNopYM92FswF8NtDN+VstwWAUQA2IDX3fYwPimIV+xG8ebgVALy7nWkAdsFGPoZk +UJa+x5Ln8WUOF37kMbNthd/uBelyeDZ2MU6/Eb+z54GOWijnw2l7bnlTysatJ88l +0dezmN0OQ8Yn3SaDjMKNVs+kifqVlAhSip3/eIA4/3P3Bp/RWtakzN9nV/fUVWgc +6hu6FzM6ozcAEQEAAbQlRGVyaWNrIFJldGhhbnMgPGdwZ0BkZXJpY2tyZXRoYW5z +Lm5sPokCVAQTAQoAPhYhBFpSiAeB91Vgi/gV/JEN60b1PqMSBQJc/6l5AhsDBQkS +zAMABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJEN60b1PqMSNQUP/2me0vxA +BXrqn9uUr/09Cz+HWio7W3b901alD1amIKS4W8cKs1vNe5qHEQKH5Nd/LlYKuyKu +agKWKrfLG7dguNAEVCya3zUqFiT71yh7BD8SvvUUTqgpTet4fHW8sr+rIYgvrXUV +Prb4U5DvzVfMOBBO1QBFM1ZS6J7A8EeVmmyysYc36CPoYb/CB6yMe7G1pnE9tqoo +A4hiHwfrb3t9TeSzKIbKTcuHtGgaxIosp/e3/eFZUi0zPVAQKLBA1rnUHejVb9cA +RZQSIFpLBbUaGGBJSjNualoQOWPnHCuTy9yF6++B4ToLWLB5r9nQu70cdod21tLt +p2BMpryKikpN6OIq5Kpj62uAGDu5b/lhhbQV5tp5gxabhIyfoCnLC6JMHwVsppIG +1XsDtcM4IaFl3bl5Ol0+G0vuNru21e9ydGMHR153hPl5fszWCkWQhHXw728+vIZX +4KI3uLbpJLDHWY8QGrwGpqPMcqObcepkskejpKZX2JtycoiOlntuMWfLLmL7S+Om +YnFkOy8G0TctD45wLlfWtJDzRr2p7TDYcQ3oHf0OQMHAQ4qUJXLYyxlPja4PWiMV +x5I9hLtXfJ4krKK/FJQDccFegBR8vhQVoQ0WFot/Vzo1qu488f0w0tAJDf16+w8W +FhYnIbwfndGMgfu/nkAZ/NAkD/bAul9NGKBctCVEZXJpY2sgUmV0aGFucyAoUEhQ +KSA8ZGVyaWNrQHBocC5uZXQ+iQJUBBMBCgA+FiEEWlKIB4H3VWCL+BX8kQ3rRvU+ +oxIFAlz/qWkCGwMFCRLMAwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQkQ3r +RvU+oxJxzhAAx8TGL+IaTYEzEICUk2wBTISoSMuoF5eZU4x3ZviA6yWG1OLn98uL +eCGjGCMFp1/OFGZfCe/QAVj7/eBZzPnvVj7JkUrPt4EpU0XOpVan9cVh9Yzds62H +Q19WRJOnMYO7xzZcempmUsZ5oAGivRsJ42UhvHi409T/ZpRdyOtiWXmdBXIRK9G3 +OuLBhchvFIhAbjfYbFD+gVzdGThU6xHXAfnLoFuyzYIpXzgrDYdmfkskLmTd4meK +oFVwcBnPWXxUJz1HNxPCI/dY8DUmWjqnb4qBU+JnLq16UmvEG2TdxpKivcoJH5la +IVnAEa2A3answ7WU5yF7n5b9PH9xFsPJpcUc7+rc2F3D6eY8WY+tSSzyKxuRYF7h +FeRifwSSjOMDp50kgUR2f/5gGRD8rDSKTtGq9pVDXtIPt2xEnY/SH6O8Mmusmk8/ +bS61t6HPjEZBGOO9LrYbVBcHCZAHRzWuFTIadyh+q330fXlCYHaHAZiN55TEDocj +1XxlhiLcyRGwDtMnc2IOjJUjyxAXwFwVqVOGCFtop33tj4TCKmMD+NSeLWmCmDLj +81t4r9+O2A2A8AhEMBCC7m9N6DlDdGMeOyzdDTUTp9cdbnLRc2qJNk8Q3C4/FI82 +SoJtOE0buvA9Jfz5GEU+V/ZEuMj+YYRCz6t3iFISCjxWlUTIH5Gw5A20KERlcmlj +ayBSZXRoYW5zIDxkZXJpY2tAZGVyaWNrcmV0aGFucy5ubD6JAlQEEwEKAD4WIQRa +UogHgfdVYIv4FfyRDetG9T6jEgUCXP+o8QIbAwUJEswDAAULCQgHAgYVCgkICwIE +FgIDAQIeAQIXgAAKCRCRDetG9T6jEo2yD/9PNspNKjiGq0u7CBxY4XrFXYNzGVUJ +UQxnCZk5o+K1zpU5VCV8XjXBrehwSe/17hAakl+5j+qFt/prORPHdXPyKyI+SM/O +muc+1AjOU3OPApwrpX0AsYMdDi5BtpXiJ8RGBNEsKJN+hCikpNkUXVlbluvcytCX +/je4TbnJdRFFSJCdP1YXAzrVbXCVFWgTU5g5SwPEpDxs9Qzvgg35PG/U5QiFSTCN +CokT1Hdf+S2a+h5nxSnqm2Vn80NyNBy9y4kBBCkU18NzR96cWxiccshR8qS+7Tg1 +EIBFFnheZkR2MQukfxCHliX40pGipyHE5Kf8huYgNRiHsfdYIfzYQx8lfvwRNq38 +QrMihIfcBZfl6z096J6Aj6XiA5VqcKDdD0gVw77KCkRyzBtGt6kSqStF9JYE9RjB +b375qPsvCVhW/alpScnRtJzVytDT9xeqe5F0V6/GhNvnlgBo3I2p+33gDb5TQOFw +oidV46lXlAYo0sAbXJPw9ZZrHE661HQ9T5CLtJ+cadITX3638Sc6XcsdbD+upU2V +1piQ9gUvgCNdYGjcYMXTfe4l7x+6pthE0lb7u+q/nyzTozez0xoCWygMJlETQXKn +s6EnhMi3phAuUnhso3fWAvwtOgHW9QaL+rx5npad3wGyRo9xqTmrE/El8FgALXY2 +XfggH/zQhIwNIbQxRGVyaWNrIFJldGhhbnMgKEdpdEh1YikgPGdpdGh1YkBkZXJp +Y2tyZXRoYW5zLm5sPokCVAQTAQoAPhYhBFpSiAeB91Vgi/gV/JEN60b1PqMSBQJc +/6lWAhsDBQkSzAMABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJEN60b1PqMS +jWUQALGWNAhYnuTTAIoKtwPsDab6kJV3TcBaiD5ezXXYX1WFEKMuLenYkCIzRuWO +FkZR8Rr8iJj7viCPWV5bniicsKNq4Af8YIXq8Qnam30gSkHo+jGpzZYnDdFDajYa +x7wVKMxUmPsC6RhfEk0JAFXhoqrFOrsuUw+bBC4LOvFzdufmS8klJq4krpYf1kp5 +CW6/DL38YRrmhq5djyiuA8iJPtylxcR+tXSmyGtgltCiHS4EdOOyG0hOsfkHPqIK +d5Tb7J+pMGimCp/9YV1NINbFpWIG3pF6sopMLU5YHh0Wq7SgfDVmkuPxUaEChTVz +S9y6k3DwhW7ZRpcSx9hDRwaHFw/eTuSdNH/7CpXKr0o/+zuvq+gpAHbPH1GfikoN +B87lSdfUdM95QTveQjS+6IFbQR/5pCEAraZ97EP02A2o45nn2bV/gOvZRqqPuJZQ +8rJ0ryqfxRWj/cRKrtt+k/n0dKQXJt/0g5s+IVgIHHoe5htzsXyjvxfpSL+vut8Y +ftr8lyCzGqFUZaX5zpsgwpy4FMf93ttPYiQuG/pVD4dSxc347xL03rB+0F6YIv6S +DKuA9Yy9bj2xRuJb5WmAlb67qwE7urGvgAkMXs3deVMWJ1oH5KB1t15mOU3Gund/ +q3WO21GQj7leALl4cV+oDXI+3z1idIMEWQWaoY2pT7PnUw5ruQINBFz/qPEBEACw +WHa7KtEtx2KKghel9yLwLx44LRnuKWLjGNrHqjIy6RSWBcOKVUnewtlzr8ugAAE3 +qMXtGd3vCLpEtqDJ4RghBrV9YVLArr9ba4clmSgr1iDKZE4xjR71rkwEcrQA9Iqa +faOQmTzj/MJoErYONat57CfArQs+Sd4SYJyLTZ+6HdSZVyM5tDooookToZaq/FHQ +1gKtQVuIkM7229JaVo+4xQn8N+nQCsKvbl/9ATxXoxzsf2UxDsOOW+Mi9qAmSDdD +pGIsWkFmvZnRPPnLXRkQiCcq703Zt/A5ake4JPLV3ZVvvzhvA37Qz8YE8Pud+jTL +bvZ6eKh/X3XYkUGjtbDUPfY61HTbiLKcDYmEbtD9bPa9gePhNPXVcpVKd+r9UQJA ++Oskt5zbNnOx1JCNIHKJ8s2ll62G4BcS76BnPSzCtGuDnW01xPj8Q5qEHwBcpKvW +j4sRx6DSxhieeMm3FZ2ScCarz2vNY3smDJSc2lOWYlFgQwwzqAsxqA7Lb5VmYuSR +KKEWB8XnQ2rcoAaUuCm8qU/zfa/yn97eZa9VKMMX9X7tcMAuYRD0fEmS9zjeX64h +/+tZdQnUq2Jtthz4qInNs/lSSYhCTC5H9FZ9hFe5X7LiYnTws5o6TXejtXxItaYF +/4Ltdsq/bT5gI/PNqP++iTQFjLDUUoG5S3U8/631+QARAQABiQI8BBgBCgAmFiEE +WlKIB4H3VWCL+BX8kQ3rRvU+oxIFAlz/qPECGwwFCRLMAwAACgkQkQ3rRvU+oxIW +mg/8CHGV74oqKrNf0ruUaHWfm1Lk++/CAp6uSZeMOkJST/4Nl5f2O3aPA7XVk4da +vvHA3IrS053LM7xUUb0FnarKMlKg//3f6Jtvavege6zfG3qj/s6fS/8EgoZkS3sy +wGHYzy299sgZKx7eF/pkVj/olgDQ/MpkM5scpDhY1rHjvhcR8sLM8O5DkOfyTaEi +RuphMRF9G21pu3kIPf4C/4tMN0TmNBzd+9L6n4iQooVsxzAohjlIQl6DjnGM5U7I +o3ufQqCuGOhJNdMPbuaH/ZtLxhnru1kZiHToPoGRDAW8YdjBnYIljW73RKPgMpkI +iL56DXSsb87qKBLZ3aBkjZO2NxT3GUPbCAYQ/b5JQ0Oeu2wbfYDZ8lr+rATED/9Z +6mrmPPgmVg+EmXpX3byBlfLvWuknZQgEFyZEiQUNWsPX1ML+VXUS9VkHYngZ6PDS +PREP+rN/XwsNaCKg76Dx3Vcxq+0Nj9c6qEPoiC4eQGa7iSc7ylHsYlQ9qLrwSBXm +OoGSnFkpToyEi33SA2FqZqLIvG1+z7sqiTiWbTdjZ8GShAwZDDnsbNUxue9YiYFN +UwEkJhcxkApawGhNtWkbDtTrvRRAHZ58CMDMRvpaKfGcpF+RlyRumTlEChpi+vNX +3Uyor2raD12YolIUGbjVdj3vYRkwdvoQ3cZJpZZLHyT9nDWZAg0EWxcHQgEQAJrY +yC/KKIzplzkKtuc6jCpUT2LMovFvUHp+OdCMN+K1SgveBhxsHgK10fx9Ki1Uvo2W +jhUAw1reQk/g06wiusJW0bZ2W5rKQKUPJH2JLEJcVdJAVdq2vGTdsVNkvia8O0XX +zN0tGb2juyjX1HPXUJ5jRBsiPrppeK6+NEizQmj4WYBF6wfsEalJdQ8g7nSR4p9s +HdotI+6ug6hxStcjK/wwFLRqpYwZQLDbRJVVMDAXIVLmmg8CP4VarIsF+PEv9ioC +EaT2yynFVYShmbU2XmUJSlatXaHhS3/C6IkKtOWZdU2Z2Yg0OyAUssikXYDV8bNO +dlSq+0gz+xwmglKGYwMxs1S+CtSnSwbuwmLvN2VMRWDCN4CLYRezmkNW03U2OXRx +rME6qlk82VNcLjpJnc1AVWBF/Wi4K+sG32e+uoTa7vZD4p5YmfgMRwe3sa6KCNgb +ufin5idIttHB/ZOZdyIMvxMqEBkjgCOHArLDFLMeMe364uBt7c2MLCPH6+v584Rd +rOz+Yl8AvKg3+izX6lwXE2VrC/6fkXlW7Z0+gES8YmNd++si5JOjDGqQhJ6h/r9u +ZVGLYk1LpgExgHxGhG1WXISIrGBd0kqFdkHYAIgTZ929grdv4tFpz4+rSBxTBlwd +PCKselkX3b0S5hSqAGsyFL/UT+l7h5vlLvTJe6W5ABEBAAG0IUNocmlzdG9waCBN +LiBCZWNrZXIgPGNtYkBwaHAubmV0PokCVAQTAQgAPhYhBMuvafFzoP6ktTf0cNZs +lZMRi8y2BQJbFwdCAhsDBQkHhM4ABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ +ENZslZMRi8y2o4MP/14vXeLNCNNtnhpbknRUVXrORcKZsDTyTHLx4BJvae9DsB0G +lzGI4xlkWFXRW9o1/3xG/sHpg1hQ2o5qAKPN8IAJBRm+O/cbyYxX5Jowy1l+vipt +93ZS9h+L2nEWk+hBT6hnf23u5po5JKPCEWgAqZxCnFivP5/STND9CZ5fXlTMXGYR +mehI/uGQ1k8qXMLVCG75mMxIbtXVnl0NIoq/mnT8kNWs2y17EKrbhX6tKVdOzsQI +SZ1CN0+SJeYrfCjvlVnCFQS/wG3OfmfsXIMtXR02sLffhai54jIM/DndaGrsNxay +GqScMVMnhkU8Tk1M92fwph3JaMlT7mik+fndWkQZtKAuu9j7CNmFhd19UKPbx+Fp +LIEccYyn0jh0Rngc8Js3ZhIAjaCNpSjJTIuWcNwRdks0hHSuvsK32C+YpakF1G7O +WWFSSy/p7VGXNR6R/sZgn7oC0qd954BGyaMhxmM7fezhcFYCSNG5D+jG2Ri5KtcF +Jcuw4tKXDxT1wg0pmk0tLH+ZNPw307Wdzrjqpz5TrYzLTiycxbl+uo4btKe742rl +uSXVaqx5bVpx6o1i42lGevCjq/n6oBbM78n8gTc4vPrdPjRYONviTplNipLol47h +rPG2yakoe0PqYKFLm7CzHbL64a3ZCK9K/XWth8OUJbDUGWRHnVZ5tpxQqYR2uQIN +BFsXB0IBEADDWz0jKxhy7ARP8K38vBwajJGTbwiuyiUNm/ShCWhmu/JgECQoKJa7 +gd/DpzZgjkA/7fTFGrF//AH8CK2kX/9TDnkLsjsT0Wlm66MOtMyz4HYkTjJHHFqQ +UgyoVhU2xFAp2snVgZLdV7ySoz++t3t9lSu8fUUzqdf07ufX+A4HXzgI6/2A+xzv +bvkWY/j18XE2ME13xiBXitdZGqVLLD02i/OaaQHYi1PEalfLnWtMBPu5oQd+2VTt +6bYsEOPjCOYfXXw7UTvGtOXOHE5wt0mZB28yBv8oZjsNpa36FHW90O+8KGBmrz5X +5c0MuilAnrfGdFaU1cnSFeGyEGdfsG2FzwPL9vfIVX14f92JzcppfwlOjm/vzONj +OE2/GbAOaCG9ppP37yfGmsSftLu4MpBsqSkKB/QlGncwP9tww+swe17DWMKmtm6C +0uSb3dbTb/QNdzWEEz5ZYAU4Aq8Y1Sc8QRlqSgRLmBsvffX4vQsg70r0khp3Ari/ +tcBAkWnnkkOg1xPB0/DGEhOzEIChjImtLghIkYXeVWJcfcR4fPrEcs37V8PR0WWK +s4gNEKy7nBelcB4EfPjEXEYjiAXCzzF5CaoY4uob5RXtvOp20Xv6+thPKFAhuDdP +XLxOGLYJ5/uhk7lElEhTaQ7PqxRsCcWDtf4OZEhOl1ag2G3TEXx/8QARAQABiQI8 +BBgBCAAmFiEEy69p8XOg/qS1N/Rw1myVkxGLzLYFAlsXB0ICGwwFCQeEzgAACgkQ +1myVkxGLzLZwBw/+Osh1vCAHiFUakQ2VPXzHe1wYbZPLbN+8as8O/pF/U6DzwO4Q +KUxjwbMrIFs2t0OucldFgJUjNHxQmKSdeq4x+NNhcZegobY8CIEdsWsXle4jZukq +DP+83xbH0z6AWZI3GuRvNCVg3KN4RRIFCOmBkdfmiGMXZq0tQgFWYFZ+o3R7FPt0 +eZ1Vm34TiG5zRcyZfWqWZtmow9yPYCcV0Xfb7H85H3f3M5xter9LXxbf0XXdPnlW +wZw7iuNgMjgtjUbWiidE/KRVCxEUGzARw7kV12EYESA13z1PYFY5n2evaXw0jCkD +JKtBJ/2HjkL7ruNDkKOtR/1/8D6b/yuKHZQXmLnJ3791yOtNnH064lALDeyZWorb +lSTyblBZmCsw2LKq0OyXEzPkY6KwPWI0oXOc2OSjcYTEIaXMOYACubQ1AeSol9cQ +U7zrIsCRoDN6hI6ENSVsukt8BTRuInHxFIwrmsd00RMsEdtRjfnmvvpLB4YeW7aI +CojEQ4S9Rec5HhbjbS7LcNGVBjgwh5EuA0qQWtjd8cOi3SHlKu9p7vgTaiwuhaH3 +km6Ntuy4xUSuuDA7/WHKxWOaR2JTZQ+QfUUH+JAfM/QUYK7lJAH7v4DaCraEFJND +O2qA/HKCscuFvMFXKZyf3Il33omfBV7l3UGvEWXFx8MMb8YEapUHwyy5+aOZAy4E +T2apoBEIAIVKpwaY26eSNBC7df7JedOYV4SS8zgldlM4F1HxoR680aaYUR/K+NoO +NaL2FzCngT+Vi0L4/tWxWMzU5Jf16rSML+UYvRnJFd6T6Y3LSfkfU1K5Ol/1jXws +yqFzgb5FT4tw2Jn0rQMm44680s/Fbs4dmC7FvfB0o9c1VraPJF8kAqba5okkxPWZ +OYVP1rRDxIqv6ZSusmS4bQfajpLOsq3xbCiKe3V6HrvNWwlom1AVyGcRmeVrAhyo +/bILicsZHcyS5ujDGgQFgJl63XxodVVFu+kbZC2hvwu7nGuwZuZfKZOQdN2m+R9w +kUANrwzM4v3TM7FfBsZ9shk6WHkSfyMBAJeV+fHZ5AvcFJb/pcA1rnV1taISnV3U +ECSkYq1m+WTRB/4z1YCL71pcx7fE/mSvG2CdE1R/ZY3pl3LYzEvVFEkIVvK0uGXS +uicLj0GwZhUayF0QfzGEFuIg4kq5Vn8NOX1sSbs/1zsILuInJUKSFQCGi4frHNlA +0tH5FT5B5tjNfKlV+X31CTsR0yav9YBkIcu69qfKp6kLkQGxrdWcB9B6ZI2gF4YE +pZYuI6w+O9Lvb7LXPhFQwB9cefiX+wUy3zO3v/vgCYk/Bmq5XjWniY87XZXj7E/J +zpGwHzix+yTZBWK9TzDwCS8ZB5iNejPsjBqj3n59a15XNnfopFC9RyQ/ykaMeUNe +cfEnQcjUj+Q4FlKPBHBR/R13vfLp6s+FsuT6B/410jcf0oYkHMbn+tXJYrBR5D13 +m53iNMlGRAa8A/mmDvq8Rr12iBul7hbln7QF9uIlKdCZBZIeJl12P+3fem1u6njg +KTplOB2WYVgwsXWFHjs8hlMMoRES4pgZyL++ryydm8Qk/1gLD9O2Idwx2swpxj/4 +unyVA7QYcs8H2CVWGcLR1vqXVemDUIwjz9GjMExyKPfQSABOCAL/LbNuKoAWhL0U +32dc9t7imFK2oAETJ5n6de523s9RhONWByuqjxsdkKKwGhtYLs6crJTPFXHNR64+ +Qh+Zm7OQtozDYxxB2/DCw29DQPNos/fRzVeyb/sQhglw5anOVUnlCt2YTT8FtDJT +dGFuaXNsYXYgTWFseXNoZXYgKFBIUCBrZXkpIDxzbWFseXNoZXZAZ21haWwuY29t +Poh6BBMRCAAiBQJPZqq0AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAv +eVa8XaBLXZczAP0e5EiiVLAgrvu7wRjjrXLa7qxtffqfn+6j8sNC7GiLewD/Qy+m +e/M6G/0i5+++xkSPcTuLeH6IPnrjxgzB9MUKKP60K1N0YW5pc2xhdiBNYWx5c2hl +diAoUEhQIGtleSkgPHN0YXNAcGhwLm5ldD6IegQTEQgAIgUCT2apoAIbAwYLCQgH +AwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lWvF2gS12F2wD/WpBvlFluHo+UhV4c +IUULd8y/LnrAnUoLSSeGmHJl1wYA/1tAWFYZvHKUWfvGadsnZulr7Rh/NFbBuCZ4 +hKhki1DVtDVTdGFuaXNsYXYgTWFseXNoZXYgKFBIUCBrZXkpIDxzbWFseXNoZXZA +c3VnYXJjcm0uY29tPoh6BBMRCAAiBQJPZqqdAhsDBgsJCAcDAgYVCAIJCgsEFgID +AQIeAQIXgAAKCRAveVa8XaBLXWuhAP9L9/cztiAKFozxIC3v2IA+8uJ6mVQGBiC4 +4mMdzXpADQD8CbSaMqY2rdbk/S4D+8H6WIIRwwt1xmI4iw0jjh4ePk+5Ag0ET2ap +oBAIAN9k8ymNmSQZmPcFj/sCmguribCrNuH4KktfA2fbS0U29Jd9vxF15e9URvtJ +zH5b2pimJq6faJcmAJUfx+ClmlHznq6VPWrq4Ib74Je5sS+Kn94mRmX3f/ziHTgp +AnCyA6sCHQ6bc549Gfw+v777Qs1LQQvy5f9gd5M4Y6eeZOphN7JIFUV2i/oviZ6l +11+N6SJwpCqEvuZmH/G6rb0mKNPS401fy/i8NZAO7l2UBx1364HeBxcwP8+CKcPX +XOn7rC2tYKb/7IGqm8PBdBfk8ZSfC9tF+XsDLcybCaheJ5xkyDR3BNJzt7SWEHgc +ZEdl0EwkHisdRUZ3Oq6Mr9y06+sAAwUH/RS1vvpB7qwIyUfFUCZ4T99ujs+LTlu1 +n/HTWvrt0d9oxI/SuIIonszQ5b6MBe2737P8FWdiKxbrtZZ/GXZxLm1kOCIeAkBF +dZQ47vb6xJwc/wpCZOXXPXqDIpvBjdKbIGTByk4vfmeFRY0vL3ezI+hjqxlROKSv +Ztli6QcNDfdcE+zh7oxtYp+xr2ppWaeU4XeTlSoKGO618doRrhDtU/jAEimmEcGL +0wjXqgkjPME9saXa6h52PCJnpB5BmdK45VhnFTZ3eVEDw+u18U3VVKWkSb9VwC+2 +J4dRhYc3TA675yndKWvlclU2NOMmGXbxKWKcwwTniYoAZ/Yt2v91HBeIYQQYEQgA +CQUCT2apoAIbDAAKCRAveVa8XaBLXboRAP9VV3cWCMsqCUKVFA/N19Tzju2oMrjM +mNuZG/m8svCgTQD7ButCzuNUZTc2tLQAiXm9SZ7CmnYErNKR6nLbedaZ6PCZAg0E +Xrb0LgEQAOX87ju0d9lqnpjc/B8j3/jB79MPAkuoE/yMzPcAfyzl7ytYcgjBclqj +U1YWR3hWdJKI0Qx59+Ss1anIJuOvTo0Saanj0YJSlDCFPUO5C7wuEqh4+EgacAiy +23LUtunKVJ9MQ7t+TtKeRijI84KK58RcM4ukHHwbCb9ww1mEUjTlcJBJ/n70iNoT +GKGCZ18IpyFvK8atSf1jt67k9hS2wS7VJNqw3Orm6xJDqGi3fMFtWg9ErxrtNkIM +YmrO+ofRsilUcpUrEDyv2Q/FNviOVE9BXzVVJ7zxOCwjMNJ4ao6Ezk0NOZU36qv0 +Bg8B3IWN6axWMwUQvfh0SAzZUGxfzuraG86Rj1z21PJwJxQATIRhERfm118EAVxw +P/xz0Nwrr044Hx0Wi8mX6qi0B5d1rf08VAUoJ/Bhr7Lfbpjbi0z4mvwZh+ydRrow +Doff+g0IAamzRVmcFVFyOdLM2iM9z10Ds6dPvi6QVvTMZfrE3l1MIpFb+YuOeU5A +QFbl0so2HaWP1TMb/0pQjhXh9WwSOfwjG1QyEibs4CxSMbJ2TwPYLNo9QQZnBdPM +PBUfa0Jkahw+NnztHjENsHbsr/ic1Zvi7HuaUTCKzm1oGeiIqIBXtH8WrQsQlAWi +JdEvu2YkKAyjxUOD9reL4a8NbGve1MeNC1T4onX5OqJ/dCsnnd19ABEBAAG0OEdh +YnJpZWwgQ2FydXNvIChSZWxlYXNlIE1hbmFnZXIpIDxjYXJ1c29nYWJyaWVsQHBo +cC5uZXQ+iQJUBBMBCAA+FiEEv93ShkKCT4EY73eQm2elwSIpEY8FAl629C4CGwMF +CQeEzgAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQm2elwSIpEY93YRAAorek +8NdIxkegDBXSrVVR0wA3FsT7tMT25cVDHpV0NnGVoRYRQW65rjW7zPAKHe/oXk6M +OuVbCg9Gr9znJa/KlQHsi0Hsv+6+w6rLpXw8aQfikfFgLIVOELY6/MoVcao2vEXv +Q0gDPo3JKVA+W7lMrY+sLUyJcww9yI1181qBJRlAp5wwyKPiqNExHKlxRklMSR6v +gJHocL7hSWcGPpSmKMqq5oZkwB73mhEktXAI6yEuAeOKEx7XarBfWeN4BCo9BHgp +nslR5pjgzWjKbHK5k+XBS0ApKi4dDuzuDcodqhIhqUhrFj04LGznYfnLa7IVuupI +NVY+HX/OBd9+a7qEH+hF7IOGFwfjv5xOCfbdzDzp3v4G6mluzTmDxByNta/T30hF +tWmKsqY5FP7ip1eN6//DvhZlQVcpbs8WEeivo8BRvbMBy6tW/hFMhWxEPrA+i9Qq +CRt0l5f29smtnJyCcZPi3AvtZI8qK+fgFgEinbz+NnOXY62JLJl/+GucSoWnx9rg +OJb2ZEDcTFuN8JCo4YxPAvACSPib4CF03nnFhAuyP/qnPcDKwFGhLUT++3FIilEA +CZ/dSGEylGQqTSYDl/gyxCpHslnZt6f2T8ZMd4fuqyrNvWT6sTARjwX3VCCwHNPn +M7ik9DWsgZM3gIFrtBwkfd9zeL2tgxgC25WWkJS5Ag0EXrb0LgEQAN1a0LLbJ+fK +NIFqwxsjNM5X5YdyPQMkkM0mMZzLgZMz3yCSUFw/ZbfD6ZqRfpxugek39M2l8BRA +8eWo0TiFAq2HdD9yXBfqiWc1DFL0ZkVgJtSM8czE4IX1EON7BRwin0BkOChn+PE0 +JWKdvrjyo6bZ995YFyNkA3GlUxSyoAhaivPFfrSoKBUSXSiZBk9KzdrS5k76ZlhE +73Vej1S5XCz+Ssqj6X683iDqTWlkXaUJ8EAnwv+b81zPmnjfxnAWYxa/Hi+vGWxD +gDhP4El+XJSLjcEB5JWt0a1UkSKXigz7LkYib1s091mIkTPsNmtsh5c2opGMoWJd +wbZvyqgM3VqrlCIkLdGiThqvhh85kKkvgg1Bicg0d00vmWlzJ4MFhkbt0pTLY7hp ++e+PF3gWey9inmqbiz52Xag8PQav7opOi1fb95Wvi/BkMZ6v5nmjxzQEe+HaF4Uj +ZG1fFwVp3Hss2V2DvT2QAzz/JV1Aj0aNFo37VAVebKqkdrxNCRQQg4p630kwEImR +wJTYY8tVNUlVQPbdVwkYJvdhXjsVXApPoxBhU20S5qevxMiI/2FhEHHgm5PmokSa +XiDgII7Gm4sUgoAreslvOmydpQeGKSOU5gZ1MQtvfBvdcQQfV1klnCTtYQMV/6lN +UXEx9LlXzaQ3/Ah0LC0XSV+8B9zz/A0FABEBAAGJAjwEGAEIACYWIQS/3dKGQoJP +gRjvd5CbZ6XBIikRjwUCXrb0LgIbDAUJB4TOAAAKCRCbZ6XBIikRj1+vD/9KA9Ev +HdPNyDk8jU/dUvPYKqLcQTKA0cBpDcv9+N0bfVFijBtw8Hpyg+23Q0XxJuwpgL7N +72HLxCJzrpfIyucc5j99+Wrh1wrbqdynkKJ9hM24lMhj2ZHaP42oN6At4unLFGh8 +0a+YkJFjTxh9jORvtjXpQjzq+j+8isQ5i71yT9WTzesJBhtrLMVQrgOND5E6AS/I +uUEjOHt3INuG2HFJp0jRtdlBT9ZLB+zoTJIIMARUqZGZTgF+rehVIsTXed7fdWid +MK9GKN9SU+cBWZ3vcb37lDph8bCmRb/aGlby5hBUy6KwrSXF/V6VsyqWiccXzt99 +Dq0BfuSE+VCKYjHToyw4j9gnlrZdH2NMwyUgicKbc8GLbxGS6tzYrSy2MD+BILQD ++cnpGgAyD2kbcEm6ghGWLTTi11cotcr0uXCLiPZwWG28ychx9HxXvvNUNArvDSmP +26uZqo/WZFYukaaFLltQocI5PEAkx2K4N+xb0y5Ht/8M+XNO/t/pAR+yHWNUpZUg +bZ0dujm5hPdVA9U51cyHMCucOl0sN0+oO26re7e0ZTnImjF6HBzgN5LhDmccoT4r +pOFJqrW77hOMhvIUkg5n4Sd63wbB88BKsPXF6mRUEPcHuvwLr5jAE8QSW6sLhphA +bh57GXdFtudEaKvQbGW9yalYwuj7Yip5XJGttg== +=XZOV +-----END PGP PUBLIC KEY BLOCK----- diff --git a/php.conf b/php.conf new file mode 100644 index 0000000..0639c0a --- /dev/null +++ b/php.conf @@ -0,0 +1,52 @@ +# +# The following lines prevent .user.ini files from being viewed by Web clients. +# +<Files ".user.ini"> + <IfModule mod_authz_core.c> + Require all denied + </IfModule> + <IfModule !mod_authz_core.c> + Order allow,deny + Deny from all + Satisfy All + </IfModule> +</Files> + +# +# Allow php to handle Multiviews +# +AddType text/html .php + +# +# Add index.php to the list of files that will be served as directory +# indexes. +# +DirectoryIndex index.php + +# mod_php options +<IfModule mod_php.c> + # + # Cause the PHP interpreter to handle files with a .php extension. + # + <FilesMatch \.(php|phar)$> + SetHandler application/x-httpd-php + </FilesMatch> + + # + # Uncomment the following lines to allow PHP to pretty-print .phps + # files as PHP source code: + # + #<FilesMatch \.phps$> + # SetHandler application/x-httpd-php-source + #</FilesMatch> + + # + # Apache specific PHP configuration options + # those can be override in each configured vhost + # + php_value session.save_handler "files" + php_value session.save_path "/var/lib/php/session" + php_value soap.wsdl_cache_dir "/var/lib/php/wsdlcache" + + #php_value opcache.file_cache "/var/lib/php/opcache" +</IfModule> diff --git a/php.conf2 b/php.conf2 new file mode 100644 index 0000000..cdd7640 --- /dev/null +++ b/php.conf2 @@ -0,0 +1,14 @@ + +# Redirect to local php-fpm if mod_php (5, 7 or 8) is not available +<IfModule !mod_php5.c> + <IfModule !mod_php7.c> + <IfModule !mod_php.c> + # Enable http authorization headers + SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1 + + <FilesMatch \.(php|phar)$> + SetHandler "proxy:fcgi://127.0.0.1:9000" + </FilesMatch> + </IfModule> + </IfModule> +</IfModule> @@ -0,0 +1,1666 @@ +[PHP] + +;;;;;;;;;;;;;;;;;;; +; About php.ini ; +;;;;;;;;;;;;;;;;;;; +; PHP's initialization file, generally called php.ini, is responsible for +; configuring many of the aspects of PHP's behavior. + +; PHP attempts to find and load this configuration from a number of locations. +; The following is a summary of its search order: +; 1. SAPI module specific location. +; 2. The PHPRC environment variable. (As of PHP 5.2.0) +; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) +; 4. Current working directory (except CLI) +; 5. The web server's directory (for SAPI modules), or directory of PHP +; (otherwise in Windows) +; 6. The directory from the --with-config-file-path compile time option, or the +; Windows directory (usually C:\windows) +; See the PHP docs for more specific information. +; http://php.net/configuration.file + +; The syntax of the file is extremely simple. Whitespace and lines +; beginning with a semicolon are silently ignored (as you probably guessed). +; Section headers (e.g. [Foo]) are also silently ignored, even though +; they might mean something in the future. + +; Directives following the section heading [PATH=/www/mysite] only +; apply to PHP files in the /www/mysite directory. Directives +; following the section heading [HOST=www.example.com] only apply to +; PHP files served from www.example.com. Directives set in these +; special sections cannot be overridden by user-defined INI files or +; at runtime. Currently, [PATH=] and [HOST=] sections only work under +; CGI/FastCGI. +; http://php.net/ini.sections + +; Directives are specified using the following syntax: +; directive = value +; Directive names are *case sensitive* - foo=bar is different from FOO=bar. +; Directives are variables used to configure PHP or PHP extensions. +; There is no name validation. If PHP can't find an expected +; directive because it is not set or is mistyped, a default value will be used. + +; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one +; of the INI constants (On, Off, True, False, Yes, No and None) or an expression +; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a +; previously set variable or directive (e.g. ${foo}) + +; Expressions in the INI file are limited to bitwise operators and parentheses: +; | bitwise OR +; ^ bitwise XOR +; & bitwise AND +; ~ bitwise NOT +; ! boolean NOT + +; Boolean flags can be turned on using the values 1, On, True or Yes. +; They can be turned off using the values 0, Off, False or No. + +; An empty string can be denoted by simply not writing anything after the equal +; sign, or by using the None keyword: + +; foo = ; sets foo to an empty string +; foo = None ; sets foo to an empty string +; foo = "None" ; sets foo to the string 'None' + +; If you use constants in your value, and these constants belong to a +; dynamically loaded extension (either a PHP extension or a Zend extension), +; you may only use these constants *after* the line that loads the extension. + +;;;;;;;;;;;;;;;;;;; +; About this file ; +;;;;;;;;;;;;;;;;;;; +; PHP comes packaged with two INI files. One that is recommended to be used +; in production environments and one that is recommended to be used in +; development environments. + +; php.ini-production contains settings which hold security, performance and +; best practices at its core. But please be aware, these settings may break +; compatibility with older or less security conscience applications. We +; recommending using the production ini in production and testing environments. + +; php.ini-development is very similar to its production variant, except it is +; much more verbose when it comes to errors. We recommend using the +; development version only in development environments, as errors shown to +; application users can inadvertently leak otherwise secure information. + +; This is the php.ini-production INI file. + +;;;;;;;;;;;;;;;;;;; +; Quick Reference ; +;;;;;;;;;;;;;;;;;;; + +; The following are all the settings which are different in either the production +; or development versions of the INIs with respect to PHP's default behavior. +; Please see the actual settings later in the document for more details as to why +; we recommend these changes in PHP's behavior. + +; display_errors +; Default Value: On +; Development Value: On +; Production Value: Off + +; display_startup_errors +; Default Value: On +; Development Value: On +; Production Value: Off + +; error_reporting +; Default Value: E_ALL +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT + +; log_errors +; Default Value: Off +; Development Value: On +; Production Value: On + +; max_input_time +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) + +; output_buffering +; Default Value: Off +; Development Value: 4096 +; Production Value: 4096 + +; register_argc_argv +; Default Value: On +; Development Value: Off +; Production Value: Off + +; request_order +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" + +; session.gc_divisor +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 + +; session.sid_bits_per_character +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 + +; short_open_tag +; Default Value: On +; Development Value: Off +; Production Value: Off + +; variables_order +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS" + +; zend.exception_ignore_args +; Default Value: Off +; Development Value: Off +; Production Value: On + +; zend.exception_string_param_max_len +; Default Value: 15 +; Development Value: 15 +; Production Value: 0 + +;;;;;;;;;;;;;;;;;;;; +; php.ini Options ; +;;;;;;;;;;;;;;;;;;;; +; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini" +;user_ini.filename = ".user.ini" + +; To disable this feature set this option to an empty value +;user_ini.filename = + +; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes) +;user_ini.cache_ttl = 300 + +;;;;;;;;;;;;;;;;;;;; +; Language Options ; +;;;;;;;;;;;;;;;;;;;; + +; Enable the PHP scripting language engine under Apache. +; http://php.net/engine +engine = On + +; This directive determines whether or not PHP will recognize code between +; <? and ?> tags as PHP source which should be processed as such. It is +; generally recommended that <?php and ?> should be used and that this feature +; should be disabled, as enabling it may result in issues when generating XML +; documents, however this remains supported for backward compatibility reasons. +; Note that this directive does not control the <?= shorthand tag, which can be +; used regardless of this directive. +; Default Value: On +; Development Value: Off +; Production Value: Off +; http://php.net/short-open-tag +short_open_tag = Off + +; The number of significant digits displayed in floating point numbers. +; http://php.net/precision +precision = 14 + +; Output buffering is a mechanism for controlling how much output data +; (excluding headers and cookies) PHP should keep internally before pushing that +; data to the client. If your application's output exceeds this setting, PHP +; will send that data in chunks of roughly the size you specify. +; Turning on this setting and managing its maximum buffer size can yield some +; interesting side-effects depending on your application and web server. +; You may be able to send headers and cookies after you've already sent output +; through print or echo. You also may see performance benefits if your server is +; emitting less packets due to buffered output versus PHP streaming the output +; as it gets it. On production servers, 4096 bytes is a good setting for performance +; reasons. +; Note: Output buffering can also be controlled via Output Buffering Control +; functions. +; Possible Values: +; On = Enabled and buffer is unlimited. (Use with caution) +; Off = Disabled +; Integer = Enables the buffer and sets its maximum size in bytes. +; Note: This directive is hardcoded to Off for the CLI SAPI +; Default Value: Off +; Development Value: 4096 +; Production Value: 4096 +; http://php.net/output-buffering +output_buffering = 4096 + +; You can redirect all of the output of your scripts to a function. For +; example, if you set output_handler to "mb_output_handler", character +; encoding will be transparently converted to the specified encoding. +; Setting any output handler automatically turns on output buffering. +; Note: People who wrote portable scripts should not depend on this ini +; directive. Instead, explicitly set the output handler using ob_start(). +; Using this ini directive may cause problems unless you know what script +; is doing. +; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler" +; and you cannot use both "ob_gzhandler" and "zlib.output_compression". +; Note: output_handler must be empty if this is set 'On' !!!! +; Instead you must use zlib.output_handler. +; http://php.net/output-handler +;output_handler = + +; URL rewriter function rewrites URL on the fly by using +; output buffer. You can set target tags by this configuration. +; "form" tag is special tag. It will add hidden input tag to pass values. +; Refer to session.trans_sid_tags for usage. +; Default Value: "form=" +; Development Value: "form=" +; Production Value: "form=" +;url_rewriter.tags + +; URL rewriter will not rewrite absolute URL nor form by default. To enable +; absolute URL rewrite, allowed hosts must be defined at RUNTIME. +; Refer to session.trans_sid_hosts for more details. +; Default Value: "" +; Development Value: "" +; Production Value: "" +;url_rewriter.hosts + +; Transparent output compression using the zlib library +; Valid values for this option are 'off', 'on', or a specific buffer size +; to be used for compression (default is 4KB) +; Note: Resulting chunk size may vary due to nature of compression. PHP +; outputs chunks that are few hundreds bytes each as a result of +; compression. If you prefer a larger chunk size for better +; performance, enable output_buffering in addition. +; Note: You need to use zlib.output_handler instead of the standard +; output_handler, or otherwise the output will be corrupted. +; http://php.net/zlib.output-compression +zlib.output_compression = Off + +; http://php.net/zlib.output-compression-level +;zlib.output_compression_level = -1 + +; You cannot specify additional output handlers if zlib.output_compression +; is activated here. This setting does the same as output_handler but in +; a different order. +; http://php.net/zlib.output-handler +;zlib.output_handler = + +; Implicit flush tells PHP to tell the output layer to flush itself +; automatically after every output block. This is equivalent to calling the +; PHP function flush() after each and every call to print() or echo() and each +; and every HTML block. Turning this option on has serious performance +; implications and is generally recommended for debugging purposes only. +; http://php.net/implicit-flush +; Note: This directive is hardcoded to On for the CLI SAPI +implicit_flush = Off + +; The unserialize callback function will be called (with the undefined class' +; name as parameter), if the unserializer finds an undefined class +; which should be instantiated. A warning appears if the specified function is +; not defined, or if the function doesn't include/implement the missing class. +; So only set this entry, if you really want to implement such a +; callback-function. +unserialize_callback_func = + +; The unserialize_max_depth specifies the default depth limit for unserialized +; structures. Setting the depth limit too high may result in stack overflows +; during unserialization. The unserialize_max_depth ini setting can be +; overridden by the max_depth option on individual unserialize() calls. +; A value of 0 disables the depth limit. +;unserialize_max_depth = 4096 + +; When floats & doubles are serialized, store serialize_precision significant +; digits after the floating point. The default value ensures that when floats +; are decoded with unserialize, the data will remain the same. +; The value is also used for json_encode when encoding double values. +; If -1 is used, then dtoa mode 0 is used which automatically select the best +; precision. +serialize_precision = -1 + +; open_basedir, if set, limits all file operations to the defined directory +; and below. This directive makes most sense if used in a per-directory +; or per-virtualhost web server configuration file. +; Note: disables the realpath cache +; http://php.net/open-basedir +;open_basedir = + +; This directive allows you to disable certain functions. +; It receives a comma-delimited list of function names. +; http://php.net/disable-functions +disable_functions = + +; This directive allows you to disable certain classes. +; It receives a comma-delimited list of class names. +; http://php.net/disable-classes +disable_classes = + +; Colors for Syntax Highlighting mode. Anything that's acceptable in +; <span style="color: ???????"> would work. +; http://php.net/syntax-highlighting +;highlight.string = #DD0000 +;highlight.comment = #FF9900 +;highlight.keyword = #007700 +;highlight.default = #0000BB +;highlight.html = #000000 + +; If enabled, the request will be allowed to complete even if the user aborts +; the request. Consider enabling it if executing long requests, which may end up +; being interrupted by the user or a browser timing out. PHP's default behavior +; is to disable this feature. +; http://php.net/ignore-user-abort +;ignore_user_abort = On + +; Determines the size of the realpath cache to be used by PHP. This value should +; be increased on systems where PHP opens many files to reflect the quantity of +; the file operations performed. +; Note: if open_basedir is set, the cache is disabled +; http://php.net/realpath-cache-size +;realpath_cache_size = 4096k + +; Duration of time, in seconds for which to cache realpath information for a given +; file or directory. For systems with rarely changing files, consider increasing this +; value. +; http://php.net/realpath-cache-ttl +;realpath_cache_ttl = 120 + +; Enables or disables the circular reference collector. +; http://php.net/zend.enable-gc +zend.enable_gc = On + +; If enabled, scripts may be written in encodings that are incompatible with +; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such +; encodings. To use this feature, mbstring extension must be enabled. +;zend.multibyte = Off + +; Allows to set the default encoding for the scripts. This value will be used +; unless "declare(encoding=...)" directive appears at the top of the script. +; Only affects if zend.multibyte is set. +;zend.script_encoding = + +; Allows to include or exclude arguments from stack traces generated for exceptions. +; In production, it is recommended to turn this setting on to prohibit the output +; of sensitive information in stack traces +; Default Value: Off +; Development Value: Off +; Production Value: On +zend.exception_ignore_args = On + +; Allows setting the maximum string length in an argument of a stringified stack trace +; to a value between 0 and 1000000. +; This has no effect when zend.exception_ignore_args is enabled. +; Default Value: 15 +; Development Value: 15 +; Production Value: 0 +; In production, it is recommended to set this to 0 to reduce the output +; of sensitive information in stack traces. +zend.exception_string_param_max_len = 0 + +;;;;;;;;;;;;;;;;; +; Miscellaneous ; +;;;;;;;;;;;;;;;;; + +; Decides whether PHP may expose the fact that it is installed on the server +; (e.g. by adding its signature to the Web server header). It is no security +; threat in any way, but it makes it possible to determine whether you use PHP +; on your server or not. +; http://php.net/expose-php +expose_php = On + +;;;;;;;;;;;;;;;;;;; +; Resource Limits ; +;;;;;;;;;;;;;;;;;;; + +; Maximum execution time of each script, in seconds +; http://php.net/max-execution-time +; Note: This directive is hardcoded to 0 for the CLI SAPI +max_execution_time = 30 + +; Maximum amount of time each script may spend parsing request data. It's a good +; idea to limit this time on productions servers in order to eliminate unexpectedly +; long running scripts. +; Note: This directive is hardcoded to -1 for the CLI SAPI +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) +; http://php.net/max-input-time +max_input_time = 60 + +; Maximum input variable nesting level +; http://php.net/max-input-nesting-level +;max_input_nesting_level = 64 + +; How many GET/POST/COOKIE input variables may be accepted +;max_input_vars = 1000 + +; Maximum amount of memory a script may consume +; http://php.net/memory-limit +memory_limit = 128M + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Error handling and logging ; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; This directive informs PHP of which errors, warnings and notices you would like +; it to take action for. The recommended way of setting values for this +; directive is through the use of the error level constants and bitwise +; operators. The error level constants are below here for convenience as well as +; some common settings and their meanings. +; By default, PHP is set to take action on all errors, notices and warnings EXCEPT +; those related to E_NOTICE and E_STRICT, which together cover best practices and +; recommended coding standards in PHP. For performance reasons, this is the +; recommend error reporting setting. Your production server shouldn't be wasting +; resources complaining about best practices and coding standards. That's what +; development servers and development settings are for. +; Note: The php.ini-development file has this setting as E_ALL. This +; means it pretty much reports everything which is exactly what you want during +; development and early testing. +; +; Error Level Constants: +; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0) +; E_ERROR - fatal run-time errors +; E_RECOVERABLE_ERROR - almost fatal run-time errors +; E_WARNING - run-time warnings (non-fatal errors) +; E_PARSE - compile-time parse errors +; E_NOTICE - run-time notices (these are warnings which often result +; from a bug in your code, but it's possible that it was +; intentional (e.g., using an uninitialized variable and +; relying on the fact it is automatically initialized to an +; empty string) +; E_STRICT - run-time notices, enable to have PHP suggest changes +; to your code which will ensure the best interoperability +; and forward compatibility of your code +; E_CORE_ERROR - fatal errors that occur during PHP's initial startup +; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's +; initial startup +; E_COMPILE_ERROR - fatal compile-time errors +; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) +; E_USER_ERROR - user-generated error message +; E_USER_WARNING - user-generated warning message +; E_USER_NOTICE - user-generated notice message +; E_DEPRECATED - warn about code that will not work in future versions +; of PHP +; E_USER_DEPRECATED - user-generated deprecation warnings +; +; Common Values: +; E_ALL (Show all errors, warnings and notices including coding standards.) +; E_ALL & ~E_NOTICE (Show all errors, except for notices) +; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.) +; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors) +; Default Value: E_ALL +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT +; http://php.net/error-reporting +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT + +; This directive controls whether or not and where PHP will output errors, +; notices and warnings too. Error output is very useful during development, but +; it could be very dangerous in production environments. Depending on the code +; which is triggering the error, sensitive information could potentially leak +; out of your application such as database usernames and passwords or worse. +; For production environments, we recommend logging errors rather than +; sending them to STDOUT. +; Possible Values: +; Off = Do not display any errors +; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) +; On or stdout = Display errors to STDOUT +; Default Value: On +; Development Value: On +; Production Value: Off +; http://php.net/display-errors +display_errors = Off + +; The display of errors which occur during PHP's startup sequence are handled +; separately from display_errors. We strongly recommend you set this to 'off' +; for production servers to avoid leaking configuration details. +; Default Value: On +; Development Value: On +; Production Value: Off +; http://php.net/display-startup-errors +display_startup_errors = Off + +; Besides displaying errors, PHP can also log errors to locations such as a +; server-specific log, STDERR, or a location specified by the error_log +; directive found below. While errors should not be displayed on productions +; servers they should still be monitored and logging is a great way to do that. +; Default Value: Off +; Development Value: On +; Production Value: On +; http://php.net/log-errors +log_errors = On + +; Set maximum length of log_errors. In error_log information about the source is +; added. The default is 1024 and 0 allows to not apply any maximum length at all. +; http://php.net/log-errors-max-len +log_errors_max_len = 1024 + +; Do not log repeated messages. Repeated errors must occur in same file on same +; line unless ignore_repeated_source is set true. +; http://php.net/ignore-repeated-errors +ignore_repeated_errors = Off + +; Ignore source of message when ignoring repeated messages. When this setting +; is On you will not log errors with repeated messages from different files or +; source lines. +; http://php.net/ignore-repeated-source +ignore_repeated_source = Off + +; If this parameter is set to Off, then memory leaks will not be shown (on +; stdout or in the log). This is only effective in a debug compile, and if +; error reporting includes E_WARNING in the allowed list +; http://php.net/report-memleaks +report_memleaks = On + +; This setting is off by default. +;report_zend_debug = 0 + +; Turn off normal error reporting and emit XML-RPC error XML +; http://php.net/xmlrpc-errors +;xmlrpc_errors = 0 + +; An XML-RPC faultCode +;xmlrpc_error_number = 0 + +; When PHP displays or logs an error, it has the capability of formatting the +; error message as HTML for easier reading. This directive controls whether +; the error message is formatted as HTML or not. +; Note: This directive is hardcoded to Off for the CLI SAPI +; http://php.net/html-errors +;html_errors = On + +; If html_errors is set to On *and* docref_root is not empty, then PHP +; produces clickable error messages that direct to a page describing the error +; or function causing the error in detail. +; You can download a copy of the PHP manual from http://php.net/docs +; and change docref_root to the base URL of your local copy including the +; leading '/'. You must also specify the file extension being used including +; the dot. PHP's default behavior is to leave these settings empty, in which +; case no links to documentation are generated. +; Note: Never use this feature for production boxes. +; http://php.net/docref-root +; Examples +;docref_root = "/phpmanual/" + +; http://php.net/docref-ext +;docref_ext = .html + +; String to output before an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-prepend-string +; Example: +;error_prepend_string = "<span style='color: #ff0000'>" + +; String to output after an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-append-string +; Example: +;error_append_string = "</span>" + +; Log errors to specified file. PHP's default behavior is to leave this value +; empty. +; http://php.net/error-log +; Example: +;error_log = php_errors.log +; Log errors to syslog (Event Log on Windows). +;error_log = syslog + +; The syslog ident is a string which is prepended to every message logged +; to syslog. Only used when error_log is set to syslog. +;syslog.ident = php + +; The syslog facility is used to specify what type of program is logging +; the message. Only used when error_log is set to syslog. +;syslog.facility = user + +; Set this to disable filtering control characters (the default). +; Some loggers only accept NVT-ASCII, others accept anything that's not +; control characters. If your logger accepts everything, then no filtering +; is needed at all. +; Allowed values are: +; ascii (all printable ASCII characters and NL) +; no-ctrl (all characters except control characters) +; all (all characters) +; raw (like "all", but messages are not split at newlines) +; http://php.net/syslog.filter +;syslog.filter = ascii + +;windows.show_crt_warning +; Default value: 0 +; Development value: 0 +; Production value: 0 + +;;;;;;;;;;;;;;;;; +; Data Handling ; +;;;;;;;;;;;;;;;;; + +; The separator used in PHP generated URLs to separate arguments. +; PHP's default setting is "&". +; http://php.net/arg-separator.output +; Example: +;arg_separator.output = "&" + +; List of separator(s) used by PHP to parse input URLs into variables. +; PHP's default setting is "&". +; NOTE: Every character in this directive is considered as separator! +; http://php.net/arg-separator.input +; Example: +;arg_separator.input = ";&" + +; This directive determines which super global arrays are registered when PHP +; starts up. G,P,C,E & S are abbreviations for the following respective super +; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty +; paid for the registration of these arrays and because ENV is not as commonly +; used as the others, ENV is not recommended on productions servers. You +; can still get access to the environment variables through getenv() should you +; need to. +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS"; +; http://php.net/variables-order +variables_order = "GPCS" + +; This directive determines which super global data (G,P & C) should be +; registered into the super global array REQUEST. If so, it also determines +; the order in which that data is registered. The values for this directive +; are specified in the same manner as the variables_order directive, +; EXCEPT one. Leaving this value empty will cause PHP to use the value set +; in the variables_order directive. It does not mean it will leave the super +; globals array REQUEST empty. +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" +; http://php.net/request-order +request_order = "GP" + +; This directive determines whether PHP registers $argv & $argc each time it +; runs. $argv contains an array of all the arguments passed to PHP when a script +; is invoked. $argc contains an integer representing the number of arguments +; that were passed when the script was invoked. These arrays are extremely +; useful when running scripts from the command line. When this directive is +; enabled, registering these variables consumes CPU cycles and memory each time +; a script is executed. For performance reasons, this feature should be disabled +; on production servers. +; Note: This directive is hardcoded to On for the CLI SAPI +; Default Value: On +; Development Value: Off +; Production Value: Off +; http://php.net/register-argc-argv +register_argc_argv = Off + +; When enabled, the ENV, REQUEST and SERVER variables are created when they're +; first used (Just In Time) instead of when the script starts. If these +; variables are not used within a script, having this directive on will result +; in a performance gain. The PHP directive register_argc_argv must be disabled +; for this directive to have any effect. +; http://php.net/auto-globals-jit +auto_globals_jit = On + +; Whether PHP will read the POST data. +; This option is enabled by default. +; Most likely, you won't want to disable this option globally. It causes $_POST +; and $_FILES to always be empty; the only way you will be able to read the +; POST data will be through the php://input stream wrapper. This can be useful +; to proxy requests or to process the POST data in a memory efficient fashion. +; http://php.net/enable-post-data-reading +;enable_post_data_reading = Off + +; Maximum size of POST data that PHP will accept. +; Its value may be 0 to disable the limit. It is ignored if POST data reading +; is disabled through enable_post_data_reading. +; http://php.net/post-max-size +post_max_size = 8M + +; Automatically add files before PHP document. +; http://php.net/auto-prepend-file +auto_prepend_file = + +; Automatically add files after PHP document. +; http://php.net/auto-append-file +auto_append_file = + +; By default, PHP will output a media type using the Content-Type header. To +; disable this, simply set it to be empty. +; +; PHP's built-in default media type is set to text/html. +; http://php.net/default-mimetype +default_mimetype = "text/html" + +; PHP's default character set is set to UTF-8. +; http://php.net/default-charset +default_charset = "UTF-8" + +; PHP internal character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/internal-encoding +;internal_encoding = + +; PHP input character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/input-encoding +;input_encoding = + +; PHP output character encoding is set to empty. +; If empty, default_charset is used. +; See also output_buffer. +; http://php.net/output-encoding +;output_encoding = + +;;;;;;;;;;;;;;;;;;;;;;;;; +; Paths and Directories ; +;;;;;;;;;;;;;;;;;;;;;;;;; + +; UNIX: "/path1:/path2" +;include_path = ".:/php/includes" +; +; Windows: "\path1;\path2" +;include_path = ".;c:\php\includes" +; +; PHP's default setting for include_path is ".;/path/to/php/pear" +; http://php.net/include-path + +; The root of the PHP pages, used only if nonempty. +; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root +; if you are running php as a CGI under any web server (other than IIS) +; see documentation for security issues. The alternate is to use the +; cgi.force_redirect configuration below +; http://php.net/doc-root +doc_root = + +; The directory under which PHP opens the script using /~username used only +; if nonempty. +; http://php.net/user-dir +user_dir = + +; Directory in which the loadable extensions (modules) reside. +; http://php.net/extension-dir +;extension_dir = "./" +; On windows: +;extension_dir = "ext" + +; Directory where the temporary files should be placed. +; Defaults to the system default (see sys_get_temp_dir) +;sys_temp_dir = "/tmp" + +; Whether or not to enable the dl() function. The dl() function does NOT work +; properly in multithreaded servers, such as IIS or Zeus, and is automatically +; disabled on them. +; http://php.net/enable-dl +enable_dl = Off + +; cgi.force_redirect is necessary to provide security running PHP as a CGI under +; most web servers. Left undefined, PHP turns this on by default. You can +; turn it off here AT YOUR OWN RISK +; **You CAN safely turn this off for IIS, in fact, you MUST.** +; http://php.net/cgi.force-redirect +;cgi.force_redirect = 1 + +; if cgi.nph is enabled it will force cgi to always sent Status: 200 with +; every request. PHP's default behavior is to disable this feature. +;cgi.nph = 1 + +; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape +; (iPlanet) web servers, you MAY need to set an environment variable name that PHP +; will look for to know it is OK to continue execution. Setting this variable MAY +; cause security issues, KNOW WHAT YOU ARE DOING FIRST. +; http://php.net/cgi.redirect-status-env +;cgi.redirect_status_env = + +; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's +; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok +; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting +; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting +; of zero causes PHP to behave as before. Default is 1. You should fix your scripts +; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. +; http://php.net/cgi.fix-pathinfo +;cgi.fix_pathinfo=1 + +; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside +; of the web tree and people will not be able to circumvent .htaccess security. +;cgi.discard_path=1 + +; FastCGI under IIS supports the ability to impersonate +; security tokens of the calling client. This allows IIS to define the +; security context that the request runs under. mod_fastcgi under Apache +; does not currently support this feature (03/17/2002) +; Set to 1 if running under IIS. Default is zero. +; http://php.net/fastcgi.impersonate +;fastcgi.impersonate = 1 + +; Disable logging through FastCGI connection. PHP's default behavior is to enable +; this feature. +;fastcgi.logging = 0 + +; cgi.rfc2616_headers configuration option tells PHP what type of headers to +; use when sending HTTP response code. If set to 0, PHP sends Status: header that +; is supported by Apache. When this option is set to 1, PHP will send +; RFC2616 compliant header. +; Default is zero. +; http://php.net/cgi.rfc2616-headers +;cgi.rfc2616_headers = 0 + +; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #! +; (shebang) at the top of the running script. This line might be needed if the +; script support running both as stand-alone script and via PHP CGI<. PHP in CGI +; mode skips this line and ignores its content if this directive is turned on. +; http://php.net/cgi.check-shebang-line +;cgi.check_shebang_line=1 + +;;;;;;;;;;;;;;;; +; File Uploads ; +;;;;;;;;;;;;;;;; + +; Whether to allow HTTP file uploads. +; http://php.net/file-uploads +file_uploads = On + +; Temporary directory for HTTP uploaded files (will use system default if not +; specified). +; http://php.net/upload-tmp-dir +;upload_tmp_dir = + +; Maximum allowed size for uploaded files. +; http://php.net/upload-max-filesize +upload_max_filesize = 2M + +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 20 + +;;;;;;;;;;;;;;;;;; +; Fopen wrappers ; +;;;;;;;;;;;;;;;;;; + +; Whether to allow the treatment of URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-fopen +allow_url_fopen = On + +; Whether to allow include/require to open URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-include +allow_url_include = Off + +; Define the anonymous ftp password (your email address). PHP's default setting +; for this is empty. +; http://php.net/from +;from="john@doe.com" + +; Define the User-Agent string. PHP's default setting for this is empty. +; http://php.net/user-agent +;user_agent="PHP" + +; Default timeout for socket based streams (seconds) +; http://php.net/default-socket-timeout +default_socket_timeout = 60 + +; If your scripts have to deal with files from Macintosh systems, +; or you are running on a Mac and need to deal with files from +; unix or win32 systems, setting this flag will cause PHP to +; automatically detect the EOL character in those files so that +; fgets() and file() will work regardless of the source of the file. +; http://php.net/auto-detect-line-endings +;auto_detect_line_endings = Off + +;;;;;;;;;;;;;;;;;;;;;; +; Dynamic Extensions ; +;;;;;;;;;;;;;;;;;;;;;; + +; If you wish to have an extension loaded automatically, use the following +; syntax: +; +; extension=modulename +; +; For example: +; +; extension=mysqli +; +; When the extension library to load is not located in the default extension +; directory, You may specify an absolute path to the library file: +; +; extension=/path/to/extension/mysqli.so +; +; Note : The syntax used in previous PHP versions ('extension=<ext>.so' and +; 'extension='php_<ext>.dll') is supported for legacy reasons and may be +; deprecated in a future PHP major version. So, when it is possible, please +; move to the new ('extension=<ext>) syntax. + +;;;; +; Note: packaged extension modules are now loaded via the .ini files +; found in the directory /etc/php.d; these are loaded by default. +;;;; + +;;;;;;;;;;;;;;;;;;; +; Module Settings ; +;;;;;;;;;;;;;;;;;;; + +[CLI Server] +; Whether the CLI web server uses ANSI color coding in its terminal output. +cli_server.color = On + +[Date] +; Defines the default timezone used by the date functions +; http://php.net/date.timezone +;date.timezone = + +; http://php.net/date.default-latitude +;date.default_latitude = 31.7667 + +; http://php.net/date.default-longitude +;date.default_longitude = 35.2333 + +; http://php.net/date.sunrise-zenith +;date.sunrise_zenith = 90.833333 + +; http://php.net/date.sunset-zenith +;date.sunset_zenith = 90.833333 + +[filter] +; http://php.net/filter.default +;filter.default = unsafe_raw + +; http://php.net/filter.default-flags +;filter.default_flags = + +[iconv] +; Use of this INI entry is deprecated, use global input_encoding instead. +; If empty, default_charset or input_encoding or iconv.input_encoding is used. +; The precedence is: default_charset < input_encoding < iconv.input_encoding +;iconv.input_encoding = + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;iconv.internal_encoding = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; If empty, default_charset or output_encoding or iconv.output_encoding is used. +; The precedence is: default_charset < output_encoding < iconv.output_encoding +; To use an output encoding conversion, iconv's output handler must be set +; otherwise output encoding conversion cannot be performed. +;iconv.output_encoding = + +[imap] +; rsh/ssh logins are disabled by default. Use this INI entry if you want to +; enable them. Note that the IMAP library does not filter mailbox names before +; passing them to rsh/ssh command, thus passing untrusted data to this function +; with rsh/ssh enabled is insecure. +;imap.enable_insecure_rsh=0 + +[intl] +;intl.default_locale = +; This directive allows you to produce PHP errors when some error +; happens within intl functions. The value is the level of the error produced. +; Default is 0, which does not produce any errors. +;intl.error_level = E_WARNING +;intl.use_exceptions = 0 + +[sqlite3] +; Directory pointing to SQLite3 extensions +; http://php.net/sqlite3.extension-dir +;sqlite3.extension_dir = + +; SQLite defensive mode flag (only available from SQLite 3.26+) +; When the defensive flag is enabled, language features that allow ordinary +; SQL to deliberately corrupt the database file are disabled. This forbids +; writing directly to the schema, shadow tables (eg. FTS data tables), or +; the sqlite_dbpage virtual table. +; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html +; (for older SQLite versions, this flag has no use) +;sqlite3.defensive = 1 + +[Pcre] +; PCRE library backtracking limit. +; http://php.net/pcre.backtrack-limit +;pcre.backtrack_limit=100000 + +; PCRE library recursion limit. +; Please note that if you set this value to a high number you may consume all +; the available process stack and eventually crash PHP (due to reaching the +; stack size limit imposed by the Operating System). +; http://php.net/pcre.recursion-limit +;pcre.recursion_limit=100000 + +; Enables or disables JIT compilation of patterns. This requires the PCRE +; library to be compiled with JIT support. +pcre.jit=0 + +[Pdo] +; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" +; http://php.net/pdo-odbc.connection-pooling +;pdo_odbc.connection_pooling=strict + +[Pdo_mysql] +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +pdo_mysql.default_socket= + +[Phar] +; http://php.net/phar.readonly +;phar.readonly = On + +; http://php.net/phar.require-hash +;phar.require_hash = On + +;phar.cache_list = + +[mail function] +; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). +; http://php.net/sendmail-path +sendmail_path = /usr/sbin/sendmail -t -i + +; Force the addition of the specified parameters to be passed as extra parameters +; to the sendmail binary. These parameters will always replace the value of +; the 5th parameter to mail(). +;mail.force_extra_parameters = + +; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename +mail.add_x_header = Off + +; The path to a log file that will log all mail() calls. Log entries include +; the full path of the script, line number, To address and headers. +;mail.log = +; Log mail to syslog (Event Log on Windows). +;mail.log = syslog + +[ODBC] +; http://php.net/odbc.default-db +;odbc.default_db = Not yet implemented + +; http://php.net/odbc.default-user +;odbc.default_user = Not yet implemented + +; http://php.net/odbc.default-pw +;odbc.default_pw = Not yet implemented + +; Controls the ODBC cursor model. +; Default: SQL_CURSOR_STATIC (default). +;odbc.default_cursortype + +; Allow or prevent persistent links. +; http://php.net/odbc.allow-persistent +odbc.allow_persistent = On + +; Check that a connection is still valid before reuse. +; http://php.net/odbc.check-persistent +odbc.check_persistent = On + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/odbc.max-persistent +odbc.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/odbc.max-links +odbc.max_links = -1 + +; Handling of LONG fields. Returns number of bytes to variables. 0 means +; passthru. +; http://php.net/odbc.defaultlrl +odbc.defaultlrl = 4096 + +; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. +; See the documentation on odbc_binmode and odbc_longreadlen for an explanation +; of odbc.defaultlrl and odbc.defaultbinmode +; http://php.net/odbc.defaultbinmode +odbc.defaultbinmode = 1 + +[MySQLi] + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/mysqli.max-persistent +mysqli.max_persistent = -1 + +; Allow accessing, from PHP's perspective, local files with LOAD DATA statements +; http://php.net/mysqli.allow_local_infile +;mysqli.allow_local_infile = On + +; Allow or prevent persistent links. +; http://php.net/mysqli.allow-persistent +mysqli.allow_persistent = On + +; Maximum number of links. -1 means no limit. +; http://php.net/mysqli.max-links +mysqli.max_links = -1 + +; Default port number for mysqli_connect(). If unset, mysqli_connect() will use +; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the +; compile-time value defined MYSQL_PORT (in that order). Win32 will only look +; at MYSQL_PORT. +; http://php.net/mysqli.default-port +mysqli.default_port = 3306 + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/mysqli.default-socket +mysqli.default_socket = + +; Default host for mysqli_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-host +mysqli.default_host = + +; Default user for mysqli_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-user +mysqli.default_user = + +; Default password for mysqli_connect() (doesn't apply in safe mode). +; Note that this is generally a *bad* idea to store passwords in this file. +; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw") +; and reveal this password! And of course, any users with read access to this +; file will be able to reveal the password as well. +; http://php.net/mysqli.default-pw +mysqli.default_pw = + +; Allow or prevent reconnect +mysqli.reconnect = Off + +[mysqlnd] +; Enable / Disable collection of general statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +mysqlnd.collect_statistics = On + +; Enable / Disable collection of memory usage statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +mysqlnd.collect_memory_statistics = Off + +; Records communication from all extensions using mysqlnd to the specified log +; file. +; http://php.net/mysqlnd.debug +;mysqlnd.debug = + +; Defines which queries will be logged. +;mysqlnd.log_mask = 0 + +; Default size of the mysqlnd memory pool, which is used by result sets. +;mysqlnd.mempool_default_size = 16000 + +; Size of a pre-allocated buffer used when sending commands to MySQL in bytes. +;mysqlnd.net_cmd_buffer_size = 2048 + +; Size of a pre-allocated buffer used for reading data sent by the server in +; bytes. +;mysqlnd.net_read_buffer_size = 32768 + +; Timeout for network requests in seconds. +;mysqlnd.net_read_timeout = 31536000 + +; SHA-256 Authentication Plugin related. File with the MySQL server public RSA +; key. +;mysqlnd.sha256_server_public_key = + +[OCI8] +; see /etc/php.d/20-oci8.ini + +[PostgreSQL] +; Allow or prevent persistent links. +; http://php.net/pgsql.allow-persistent +pgsql.allow_persistent = On + +; Detect broken persistent links always with pg_pconnect(). +; Auto reset feature requires a little overheads. +; http://php.net/pgsql.auto-reset-persistent +pgsql.auto_reset_persistent = Off + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/pgsql.max-persistent +pgsql.max_persistent = -1 + +; Maximum number of links (persistent+non persistent). -1 means no limit. +; http://php.net/pgsql.max-links +pgsql.max_links = -1 + +; Ignore PostgreSQL backends Notice message or not. +; Notice message logging require a little overheads. +; http://php.net/pgsql.ignore-notice +pgsql.ignore_notice = 0 + +; Log PostgreSQL backends Notice message or not. +; Unless pgsql.ignore_notice=0, module cannot log notice message. +; http://php.net/pgsql.log-notice +pgsql.log_notice = 0 + +[bcmath] +; Number of decimal digits for all bcmath functions. +; http://php.net/bcmath.scale +bcmath.scale = 0 + +[browscap] +; http://php.net/browscap +;browscap = extra/browscap.ini + +[Session] +; Handler used to store/retrieve data. +; http://php.net/session.save-handler +session.save_handler = files + +; Argument passed to save_handler. In the case of files, this is the path +; where data files are stored. Note: Windows users have to change this +; variable in order to use PHP's session functions. +; +; The path can be defined as: +; +; session.save_path = "N;/path" +; +; where N is an integer. Instead of storing all the session files in +; /path, what this will do is use subdirectories N-levels deep, and +; store the session data in those directories. This is useful if +; your OS has problems with many files in one directory, and is +; a more efficient layout for servers that handle many sessions. +; +; NOTE 1: PHP will not create this directory structure automatically. +; You can use the script in the ext/session dir for that purpose. +; NOTE 2: See the section on garbage collection below if you choose to +; use subdirectories for session storage +; +; The file storage module creates files using mode 600 by default. +; You can change that by using +; +; session.save_path = "N;MODE;/path" +; +; where MODE is the octal representation of the mode. Note that this +; does not overwrite the process's umask. +; http://php.net/session.save-path + +; RPM note : session directory must be owned by process owner +; for mod_php, see /etc/httpd/conf.d/php.conf +; for php-fpm, see /etc/php-fpm.d/*conf +;session.save_path = "/tmp" + +; Whether to use strict session mode. +; Strict session mode does not accept an uninitialized session ID, and +; regenerates the session ID if the browser sends an uninitialized session ID. +; Strict mode protects applications from session fixation via a session adoption +; vulnerability. It is disabled by default for maximum compatibility, but +; enabling it is encouraged. +; https://wiki.php.net/rfc/strict_sessions +session.use_strict_mode = 0 + +; Whether to use cookies. +; http://php.net/session.use-cookies +session.use_cookies = 1 + +; http://php.net/session.cookie-secure +;session.cookie_secure = + +; This option forces PHP to fetch and use a cookie for storing and maintaining +; the session id. We encourage this operation as it's very helpful in combating +; session hijacking when not specifying and managing your own session id. It is +; not the be-all and end-all of session hijacking defense, but it's a good start. +; http://php.net/session.use-only-cookies +session.use_only_cookies = 1 + +; Name of the session (used as cookie name). +; http://php.net/session.name +session.name = PHPSESSID + +; Initialize session on request startup. +; http://php.net/session.auto-start +session.auto_start = 0 + +; Lifetime in seconds of cookie or, if 0, until browser is restarted. +; http://php.net/session.cookie-lifetime +session.cookie_lifetime = 0 + +; The path for which the cookie is valid. +; http://php.net/session.cookie-path +session.cookie_path = / + +; The domain for which the cookie is valid. +; http://php.net/session.cookie-domain +session.cookie_domain = + +; Whether or not to add the httpOnly flag to the cookie, which makes it +; inaccessible to browser scripting languages such as JavaScript. +; http://php.net/session.cookie-httponly +session.cookie_httponly = + +; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF) +; Current valid values are "Strict", "Lax" or "None". When using "None", +; make sure to include the quotes, as `none` is interpreted like `false` in ini files. +; https://tools.ietf.org/html/draft-west-first-party-cookies-07 +session.cookie_samesite = + +; Handler used to serialize data. php is the standard serializer of PHP. +; http://php.net/session.serialize-handler +session.serialize_handler = php + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using gc_probability/gc_divisor, +; e.g. 1/100 means there is a 1% chance that the GC process starts on each request. +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.gc-probability +session.gc_probability = 1 + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using gc_probability/gc_divisor, +; e.g. 1/100 means there is a 1% chance that the GC process starts on each request. +; For high volume production servers, using a value of 1000 is a more efficient approach. +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 +; http://php.net/session.gc-divisor +session.gc_divisor = 1000 + +; After this number of seconds, stored data will be seen as 'garbage' and +; cleaned up by the garbage collection process. +; http://php.net/session.gc-maxlifetime +session.gc_maxlifetime = 1440 + +; NOTE: If you are using the subdirectory option for storing session files +; (see session.save_path above), then garbage collection does *not* +; happen automatically. You will need to do your own garbage +; collection through a shell script, cron entry, or some other method. +; For example, the following script is the equivalent of setting +; session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): +; find /path/to/sessions -cmin +24 -type f | xargs rm + +; Check HTTP Referer to invalidate externally stored URLs containing ids. +; HTTP_REFERER has to contain this substring for the session to be +; considered as valid. +; http://php.net/session.referer-check +session.referer_check = + +; Set to {nocache,private,public,} to determine HTTP caching aspects +; or leave this empty to avoid sending anti-caching headers. +; http://php.net/session.cache-limiter +session.cache_limiter = nocache + +; Document expires after n minutes. +; http://php.net/session.cache-expire +session.cache_expire = 180 + +; trans sid support is disabled by default. +; Use of trans sid may risk your users' security. +; Use this option with caution. +; - User may send URL contains active session ID +; to other person via. email/irc/etc. +; - URL that contains active session ID may be stored +; in publicly accessible computer. +; - User may access your site with the same session ID +; always using URL stored in browser's history or bookmarks. +; http://php.net/session.use-trans-sid +session.use_trans_sid = 0 + +; Set session ID character length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users should use 32 or more chars. +; http://php.net/session.sid-length +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 + +; The URL rewriter will look for URLs in a defined set of HTML tags. +; <form> is special; if you include them here, the rewriter will +; add a hidden <input> field with the info which is otherwise appended +; to URLs. <form> tag's action attribute URL will not be modified +; unless it is specified. +; Note that all valid entries require a "=", even if no value follows. +; Default Value: "a=href,area=href,frame=src,form=" +; Development Value: "a=href,area=href,frame=src,form=" +; Production Value: "a=href,area=href,frame=src,form=" +; http://php.net/url-rewriter.tags +session.trans_sid_tags = "a=href,area=href,frame=src,form=" + +; URL rewriter does not rewrite absolute URLs by default. +; To enable rewrites for absolute paths, target hosts must be specified +; at RUNTIME. i.e. use ini_set() +; <form> tags is special. PHP will check action attribute's URL regardless +; of session.trans_sid_tags setting. +; If no host is defined, HTTP_HOST will be used for allowed host. +; Example value: php.net,www.php.net,wiki.php.net +; Use "," for multiple hosts. No spaces are allowed. +; Default Value: "" +; Development Value: "" +; Production Value: "" +;session.trans_sid_hosts="" + +; Define how many bits are stored in each character when converting +; the binary hash data to something readable. +; Possible values: +; 4 (4 bits: 0-9, a-f) +; 5 (5 bits: 0-9, a-v) +; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 +; http://php.net/session.hash-bits-per-character +session.sid_bits_per_character = 5 + +; Enable upload progress tracking in $_SESSION +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.enabled +;session.upload_progress.enabled = On + +; Cleanup the progress information as soon as all POST data has been read +; (i.e. upload completed). +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.cleanup +;session.upload_progress.cleanup = On + +; A prefix used for the upload progress key in $_SESSION +; Default Value: "upload_progress_" +; Development Value: "upload_progress_" +; Production Value: "upload_progress_" +; http://php.net/session.upload-progress.prefix +;session.upload_progress.prefix = "upload_progress_" + +; The index name (concatenated with the prefix) in $_SESSION +; containing the upload progress information +; Default Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Development Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Production Value: "PHP_SESSION_UPLOAD_PROGRESS" +; http://php.net/session.upload-progress.name +;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" + +; How frequently the upload progress should be updated. +; Given either in percentages (per-file), or in bytes +; Default Value: "1%" +; Development Value: "1%" +; Production Value: "1%" +; http://php.net/session.upload-progress.freq +;session.upload_progress.freq = "1%" + +; The minimum delay between updates, in seconds +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.upload-progress.min-freq +;session.upload_progress.min_freq = "1" + +; Only write session data when session data is changed. Enabled by default. +; http://php.net/session.lazy-write +;session.lazy_write = On + +[Assertion] +; Switch whether to compile assertions at all (to have no overhead at run-time) +; -1: Do not compile at all +; 0: Jump over assertion at run-time +; 1: Execute assertions +; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1) +; Default Value: 1 +; Development Value: 1 +; Production Value: -1 +; http://php.net/zend.assertions +zend.assertions = -1 + +; Assert(expr); active by default. +; http://php.net/assert.active +;assert.active = On + +; Throw an AssertionError on failed assertions +; http://php.net/assert.exception +;assert.exception = On + +; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active) +; http://php.net/assert.warning +;assert.warning = On + +; Don't bail out by default. +; http://php.net/assert.bail +;assert.bail = Off + +; User-function to be called if an assertion fails. +; http://php.net/assert.callback +;assert.callback = 0 + +[mbstring] +; language for internal character representation. +; This affects mb_send_mail() and mbstring.detect_order. +; http://php.net/mbstring.language +;mbstring.language = Japanese + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; internal/script encoding. +; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*) +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;mbstring.internal_encoding = + +; Use of this INI entry is deprecated, use global input_encoding instead. +; http input encoding. +; mbstring.encoding_translation = On is needed to use this setting. +; If empty, default_charset or input_encoding or mbstring.input is used. +; The precedence is: default_charset < input_encoding < mbstring.http_input +; http://php.net/mbstring.http-input +;mbstring.http_input = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; http output encoding. +; mb_output_handler must be registered as output buffer to function. +; If empty, default_charset or output_encoding or mbstring.http_output is used. +; The precedence is: default_charset < output_encoding < mbstring.http_output +; To use an output encoding conversion, mbstring's output handler must be set +; otherwise output encoding conversion cannot be performed. +; http://php.net/mbstring.http-output +;mbstring.http_output = + +; enable automatic encoding translation according to +; mbstring.internal_encoding setting. Input chars are +; converted to internal encoding by setting this to On. +; Note: Do _not_ use automatic encoding translation for +; portable libs/applications. +; http://php.net/mbstring.encoding-translation +;mbstring.encoding_translation = Off + +; automatic encoding detection order. +; "auto" detect order is changed according to mbstring.language +; http://php.net/mbstring.detect-order +;mbstring.detect_order = auto + +; substitute_character used when character cannot be converted +; one from another +; http://php.net/mbstring.substitute-character +;mbstring.substitute_character = none + +; Enable strict encoding detection. +;mbstring.strict_detection = Off + +; This directive specifies the regex pattern of content types for which mb_output_handler() +; is activated. +; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml) +;mbstring.http_output_conv_mimetype= + +; This directive specifies maximum stack depth for mbstring regular expressions. It is similar +; to the pcre.recursion_limit for PCRE. +;mbstring.regex_stack_limit=100000 + +; This directive specifies maximum retry count for mbstring regular expressions. It is similar +; to the pcre.backtrack_limit for PCRE. +;mbstring.regex_retry_limit=1000000 + +[gd] +; Tell the jpeg decode to ignore warnings and try to create +; a gd image. The warning will then be displayed as notices +; disabled by default +; http://php.net/gd.jpeg-ignore-warning +;gd.jpeg_ignore_warning = 1 + +[exif] +; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. +; With mbstring support this will automatically be converted into the encoding +; given by corresponding encode setting. When empty mbstring.internal_encoding +; is used. For the decode settings you can distinguish between motorola and +; intel byte order. A decode setting cannot be empty. +; http://php.net/exif.encode-unicode +;exif.encode_unicode = ISO-8859-15 + +; http://php.net/exif.decode-unicode-motorola +;exif.decode_unicode_motorola = UCS-2BE + +; http://php.net/exif.decode-unicode-intel +;exif.decode_unicode_intel = UCS-2LE + +; http://php.net/exif.encode-jis +;exif.encode_jis = + +; http://php.net/exif.decode-jis-motorola +;exif.decode_jis_motorola = JIS + +; http://php.net/exif.decode-jis-intel +;exif.decode_jis_intel = JIS + +[Tidy] +; The path to a default tidy configuration file to use when using tidy +; http://php.net/tidy.default-config +;tidy.default_config = /usr/local/lib/php/default.tcfg + +; Should tidy clean and repair output automatically? +; WARNING: Do not use this option if you are generating non-html content +; such as dynamic images +; http://php.net/tidy.clean-output +tidy.clean_output = Off + +[soap] +; Enables or disables WSDL caching feature. +; http://php.net/soap.wsdl-cache-enabled +soap.wsdl_cache_enabled=1 + +; Sets the directory name where SOAP extension will put cache files. +; http://php.net/soap.wsdl-cache-dir + +; RPM note : cache directory must be owned by process owner +; for mod_php, see /etc/httpd/conf.d/php.conf +; for php-fpm, see /etc/php-fpm.d/*conf +soap.wsdl_cache_dir="/tmp" + +; (time to live) Sets the number of second while cached file will be used +; instead of original one. +; http://php.net/soap.wsdl-cache-ttl +soap.wsdl_cache_ttl=86400 + +; Sets the size of the cache limit. (Max. number of WSDL files to cache) +soap.wsdl_cache_limit = 5 + +[sysvshm] +; A default size of the shared memory segment +;sysvshm.init_mem = 10000 + +[ldap] +; Sets the maximum number of open links or -1 for unlimited. +ldap.max_links = -1 + +[dba] +;dba.default_handler= + +[opcache] +; see /etc/php.d/10-opcache.ini + +[curl] +; A default value for the CURLOPT_CAINFO option. This is required to be an +; absolute path. +;curl.cainfo = + +[openssl] +; The location of a Certificate Authority (CA) file on the local filesystem +; to use when verifying the identity of SSL/TLS peers. Most users should +; not specify a value for this directive as PHP will attempt to use the +; OS-managed cert stores in its absence. If specified, this value may still +; be overridden on a per-stream basis via the "cafile" SSL stream context +; option. +;openssl.cafile= + +; If openssl.cafile is not specified or if the CA file is not found, the +; directory pointed to by openssl.capath is searched for a suitable +; certificate. This value must be a correctly hashed certificate directory. +; Most users should not specify a value for this directive as PHP will +; attempt to use the OS-managed cert stores in its absence. If specified, +; this value may still be overridden on a per-stream basis via the "capath" +; SSL stream context option. +;openssl.capath= + +[ffi] +; see /etc/php.d/20-ffi.ini diff --git a/php.modconf b/php.modconf new file mode 100644 index 0000000..6f678e6 --- /dev/null +++ b/php.modconf @@ -0,0 +1,14 @@ +# +# PHP is an HTML-embedded scripting language which attempts to make it +# easy for developers to write dynamically generated webpages. +# + +# Cannot load both php5, php7 and php modules +<IfModule !mod_php5.c> + <IfModule !mod_php7.c> + <IfModule prefork.c> + LoadModule php_module modules/libphp.so + </IfModule> + </IfModule> +</IfModule> + diff --git a/php.spec b/php.spec new file mode 100644 index 0000000..ea067a9 --- /dev/null +++ b/php.spec @@ -0,0 +1,3841 @@ +# remirepo spec file for php80-php +# with SCL and backport stuff, adapted from +# +# Fedora spec file for php +# +# License: MIT +# http://opensource.org/licenses/MIT +# +# Please preserve changelog entries +# +%if 0%{?scl:1} +%scl_package php +%else +%global pkg_name %{name} +%global _root_sysconfdir %{_sysconfdir} +%global _root_bindir %{_bindir} +%global _root_sbindir %{_sbindir} +%global _root_includedir %{_includedir} +%global _root_libdir %{_libdir} +%global _root_prefix %{_prefix} +%global _root_initddir %{_initddir} +%global _root_datadir %{_datadir} +%endif + +# API/ABI check +%global apiver 20200930 +%global zendver 20200930 +%global pdover 20170320 +# Extension version +%global oci8ver 3.0.1 + +# Adds -z now to the linker flags +%global _hardened_build 1 + +# version used for php embedded library soname +%global embed_version 8.0 + +# Ugly hack. Harcoded values to avoid relocation. +%global _httpd_mmn %(cat %{_root_includedir}/httpd/.mmn 2>/dev/null || echo 0) +%global _httpd_confdir %{_root_sysconfdir}/httpd/conf.d +%global _httpd_moddir %{_libdir}/httpd/modules +%global _root_httpd_moddir %{_root_libdir}/httpd/modules +# httpd 2.4 values +%global _httpd_apxs %{_root_bindir}/apxs +%global _httpd_modconfdir %{_root_sysconfdir}/httpd/conf.modules.d +%global _httpd_contentdir /usr/share/httpd + +%global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_root_sysconfdir}/rpm; echo $d) + +%global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock) + +%global oraclever 21.6 +%global oraclelib 21.1 + +# Build for LiteSpeed Web Server (LSAPI), you can disable using --without tests +%bcond_without lsws + +# Regression tests take a long time, you can skip 'em with this +%bcond_without tests + + +# Use the arch-specific mysql_config binary to avoid mismatch with the +# arch detection heuristic used by bindir/mysql_config. +%global mysql_config %{_root_libdir}/mysql/mysql_config + +# Optional extensions; to enable: pass "--with xxx" etc to rpmbuild/mock. +%bcond_with oci8 +%bcond_with zip +# Optional extensions; to disable: pass "--without xxx" etc to rpmbuild/mock. +%bcond_without imap +%bcond_without firebird +%bcond_without freetds +%bcond_without tidy +%bcond_without sqlite3 +%bcond_without enchant + +%if 0%{?fedora} >= 27 || 0%{?rhel} >= 8 +# switch to bundled library using --without libpcre +%bcond_without libpcre +%else +# switch to system library using --with libpcre +%bcond_with libpcre +%endif + +# Using qdbm from "remi" for now, see https://bugzilla.redhat.com/2017308 +%if 0%{?fedora} >= 33 || 0%{?rhel} >= 8 +%bcond_without qdbm +%else +%bcond_with qdbm +%endif + +%if 0%{?fedora} >= 33 || 0%{?rhel} >= 8 +# switch to bundled library using --without libxcrypt +%bcond_without libxcrypt +%else +# switch to system library using --with libxcrypt +%bcond_with libxcrypt +%endif + +%bcond_without dtrace + +# build with system libgd (gd-last in remi repo) +%bcond_without libgd + +# httpd 2.4.10 with httpd-filesystem and sethandler support +%if 0%{?fedora} >= 21 || 0%{?rhel} >= 8 +%global with_httpd2410 1 +%else +%global with_httpd2410 0 +%endif + +%global gh_commit 18f2ef094af2b1ad961408fbaf222b9448df2750 +%global gh_short %(c=%{gh_commit}; echo ${c:0:7}) +#global gh_date 20200615 +%global gh_owner php +%global gh_project php-src +%global upver 8.0.19 +#global rcver RC1 + +Summary: PHP scripting language for creating dynamic web sites +Name: %{?scl_prefix}php +Version: %{upver}%{?rcver:~%{rcver}}%{?gh_date:.%{gh_date}} +Release: 1%{?dist} +# All files licensed under PHP version 3.01, except +# Zend is licensed under Zend +# TSRM is licensed under BSD +# main/snprintf.c, main/spprintf.c and main/rfc1867.c are ASL 1.0 +# ext/date/lib is MIT +# Zend/zend_sort is NCSA +License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA +URL: http://www.php.net/ + +%if 0%{?gh_date} +Source0: https://github.com/%{gh_owner}/%{gh_project}/archive/%{gh_commit}/%{gh_project}-%{upver}-%{gh_short}.tar.gz +%else +Source0: http://www.php.net/distributions/php-%{upver}%{?rcver}.tar.xz +# See https://secure.php.net/gpg-keys.php +Source20: https://www.php.net/distributions/php-keyring.gpg +Source21: https://www.php.net/distributions/php-%{upver}%{?rcver}.tar.xz.asc +%endif +Source1: php.conf +Source2: php.ini +Source3: macros.php +Source4: php-fpm.conf +Source5: php-fpm-www.conf +Source6: php-fpm.service +Source7: php-fpm.logrotate +Source8: php-fpm.sysconfig +Source9: php.modconf +Source10: php.conf2 +Source12: php-fpm.wants +# Configuration files for some extensions +Source50: 10-opcache.ini +Source51: opcache-default.blacklist +Source52: 20-oci8.ini +Source53: 20-ffi.ini + +# Build fixes +Patch1: php-7.4.0-httpd.patch +Patch5: php-7.2.0-includedir.patch +Patch6: php-8.0.0-embed.patch +Patch8: php-7.4.0-libdb.patch +# get rid of deprecated functions from 8.1 +Patch9: php-8.0.6-deprecated.patch +# RHEL backports +Patch10: php-7.0.7-curl.patch + +# Functional changes +# Use system nikic/php-parser +Patch41: php-8.0.19-parser.patch +# use system tzdata +Patch42: php-8.0.10-systzdata-v21.patch +# See http://bugs.php.net/53436 +Patch43: php-7.4.0-phpize.patch +# Use -lldap_r for OpenLDAP +Patch45: php-7.4.0-ldap_r.patch +# Ignore unsupported "threads" option on password_hash +Patch46: php-8.0.7-argon2.patch +# drop "Configure command" from phpinfo output +# and only use gcc (instead of full version) +Patch47: php-8.0.0-phpinfo.patch +# add sha256 / sha512 security protocol, from 8.1 +Patch48: php-8.0.10-snmp-sha.patch +# switch phar to use sha256 signature by default, from 8.1 +# implement openssl_256 and openssl_512 for phar signatures, from 8.1 +Patch49: php-8.0.10-phar-sha.patch +# compatibility with OpenSSL 3.0, from 8.1 +Patch50: php-8.0.10-openssl3.patch +# use system libxcrypt, from 8.1 +Patch51: php-8.0.13-crypt.patch + +# RC Patch +Patch91: php-7.2.0-oci8conf.patch + +# Upstream fixes (100+) + +# Security fixes (200+) + +# Fixes for tests (300+) +# Factory is droped from system tzdata +Patch300: php-7.4.0-datetests.patch + +# WIP + +BuildRequires: gnupg2 +BuildRequires: bzip2-devel +BuildRequires: pkgconfig(libcurl) >= 7.29.0 +BuildRequires: libdb-devel +BuildRequires: httpd-devel >= 2.0.46-1 +BuildRequires: pam-devel +%if %{with_httpd2410} +# to ensure we are using httpd with filesystem feature (see #1081453) +BuildRequires: httpd-filesystem +%endif +BuildRequires: %{?dtsprefix}libstdc++-devel +# no pkgconfig to avoid compat-openssl10 +BuildRequires: openssl-devel >= 1.0.1 +BuildRequires: pkgconfig(sqlite3) >= 3.7.4 +BuildRequires: pkgconfig(zlib) >= 1.2.0.4 +BuildRequires: smtpdaemon +BuildRequires: pkgconfig(libedit) +%if %{with libpcre} +BuildRequires: pkgconfig(libpcre2-8) >= 10.30 +%else +Provides: bundled(pcre2) = 10.32 +%endif +%if %{with libxcrypt} +BuildRequires: pkgconfig(libxcrypt) +%endif +BuildRequires: bzip2 +BuildRequires: perl +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: make +BuildRequires: %{?dtsprefix}gcc +BuildRequires: %{?dtsprefix}gcc-c++ +BuildRequires: libtool +BuildRequires: libtool-ltdl-devel +%if %{with dtrace} +BuildRequires: %{?dtsprefix}systemtap-sdt-devel +%endif +%if 0%{?gh_date} +BuildRequires: bison +BuildRequires: re2c +%endif +# used for tests +BuildRequires: /bin/ps + +Requires: httpd-mmn = %{_httpd_mmn} +Provides: %{?scl_prefix}mod_php = %{version}-%{release} +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +# To ensure correct /var/lib/php/session ownership: +%if %{with_httpd2410} +Requires(pre): httpd-filesystem +%else +Requires(pre): httpd +%endif + +%if 0%{?fedora} >= 27 || 0%{?rhel} >= 8 +# For backwards-compatibility, pull the "php" command +Recommends: %{?scl_prefix}php-cli%{?_isa} = %{version}-%{release} +# httpd have threaded MPM by default +Recommends: %{?scl_prefix}php-fpm%{?_isa} = %{version}-%{release} +# as "php" is now mostly a meta-package, commonly used extensions +Recommends: %{?scl_prefix}php-mbstring%{?_isa} = %{version}-%{release} +Recommends: %{?scl_prefix}php-opcache%{?_isa} = %{version}-%{release} +Recommends: %{?scl_prefix}php-pdo%{?_isa} = %{version}-%{release} +Recommends: %{?scl_prefix}php-sodium%{?_isa} = %{version}-%{release} +Recommends: %{?scl_prefix}php-xml%{?_isa} = %{version}-%{release} +%else +# For backwards-compatibility, require php-cli for the time being: +Requires: %{?scl_prefix}php-cli%{?_isa} = %{version}-%{release} +# For ARGON2 password +Requires: %{?scl_prefix}php-sodium%{?_isa} = %{version}-%{release} +%endif + + +# Don't provides extensions, or shared libraries (embedded) +%{?filter_from_requires: %filter_from_requires /libphp.*so/d} +%{?filter_provides_in: %filter_provides_in %{_libdir}/.*\.so$} +%{?filter_setup} + + +%description +PHP is an HTML-embedded scripting language. PHP attempts to make it +easy for developers to write dynamically generated web pages. PHP also +offers built-in database integration for several commercial and +non-commercial database management systems, so writing a +database-enabled webpage with PHP is fairly simple. The most common +use of PHP coding is probably as a replacement for CGI scripts. + +This package contains the module (often referred to as mod_php) +which adds support for the PHP language to system Apache HTTP Server. + + +%package cli +Summary: Command-line interface for PHP +# sapi/cli/ps_title.c is PostgreSQL +License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA and PostgreSQL +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +Provides: %{?scl_prefix}php-cgi = %{version}-%{release}, %{?scl_prefix}php-cgi%{?_isa} = %{version}-%{release} +Provides: %{?scl_prefix}php-pcntl, %{?scl_prefix}php-pcntl%{?_isa} +Provides: %{?scl_prefix}php-readline, %{?scl_prefix}php-readline%{?_isa} + +%description cli +The %{?scl_prefix}php-cli package contains the command-line interface +executing PHP scripts, %{_bindir}/php, and the CGI interface. + + +%package dbg +Summary: The interactive PHP debugger +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} + +%description dbg +The %{?scl_prefix}php-dbg package contains the interactive PHP debugger. + + +%package fpm +Summary: PHP FastCGI Process Manager +BuildRequires: libacl-devel +BuildRequires: pkgconfig(libsystemd) >= 209 +Requires(pre): %{_root_sbindir}/useradd +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +%{?systemd_requires} +# This is actually needed for the %%triggerun script but Requires(triggerun) +# is not valid. We can use %%post because this particular %%triggerun script +# should fire just after this package is installed. +Requires(post): systemd-sysv +%if %{with_httpd2410} +# To ensure correct /var/lib/php/session ownership: +Requires(pre): httpd-filesystem +# For php.conf in /etc/httpd/conf.d +# and version 2.4.10 for proxy support in SetHandler +Requires: httpd-filesystem >= 2.4.10 +%endif + +%description fpm +PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI +implementation with some additional features useful for sites of +any size, especially busier sites. + +%if %{with lsws} +%package litespeed +Summary: LiteSpeed Web Server PHP support +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} + +%description litespeed +The %{?scl_prefix}php-litespeed package provides the %{_bindir}/lsphp command +used by the LiteSpeed Web Server (LSAPI enabled PHP). +%endif + + +%package embedded +Summary: PHP library for embedding in applications +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +# doing a real -devel package for just the .so symlink is a bit overkill +Provides: %{?scl_prefix}php-embedded-devel = %{version}-%{release} +Provides: %{?scl_prefix}php-embedded-devel%{?_isa} = %{version}-%{release} + +%description embedded +The %{?scl_prefix}php-embedded package contains a library which can be embedded +into applications to provide PHP scripting language support. + + +%package common +Summary: Common files for PHP +# All files licensed under PHP version 3.01, except +# fileinfo is licensed under PHP version 3.0 +# regex, libmagic are licensed under BSD +License: PHP and BSD +# ABI/API check - Arch specific +Provides: %{?scl_prefix}php(api) = %{apiver}-%{__isa_bits} +Provides: %{?scl_prefix}php(zend-abi) = %{zendver}-%{__isa_bits} +Provides: %{?scl_prefix}php(language) = %{version} +Provides: %{?scl_prefix}php(language)%{?_isa} = %{version} +# Provides for all builtin/shared modules: +Provides: %{?scl_prefix}php-bz2, %{?scl_prefix}php-bz2%{?_isa} +Provides: %{?scl_prefix}php-calendar, %{?scl_prefix}php-calendar%{?_isa} +Provides: %{?scl_prefix}php-core = %{version}, %{?scl_prefix}php-core%{?_isa} = %{version} +Provides: %{?scl_prefix}php-ctype, %{?scl_prefix}php-ctype%{?_isa} +Provides: %{?scl_prefix}php-curl, %{?scl_prefix}php-curl%{?_isa} +Provides: %{?scl_prefix}php-date, %{?scl_prefix}php-date%{?_isa} +Provides: bundled(timelib) +Provides: %{?scl_prefix}php-exif, %{?scl_prefix}php-exif%{?_isa} +Provides: %{?scl_prefix}php-fileinfo, %{?scl_prefix}php-fileinfo%{?_isa} +Provides: bundled(libmagic) = 5.29 +Provides: %{?scl_prefix}php-filter, %{?scl_prefix}php-filter%{?_isa} +Provides: %{?scl_prefix}php-ftp, %{?scl_prefix}php-ftp%{?_isa} +Provides: %{?scl_prefix}php-gettext, %{?scl_prefix}php-gettext%{?_isa} +Provides: %{?scl_prefix}php-hash, %{?scl_prefix}php-hash%{?_isa} +Provides: %{?scl_prefix}php-mhash = %{version}, %{?scl_prefix}php-mhash%{?_isa} = %{version} +Provides: %{?scl_prefix}php-iconv, %{?scl_prefix}php-iconv%{?_isa} +Obsoletes: %{?scl_prefix}php-json < 8.0.0 +Provides: %{?scl_prefix}php-json = %{upver}, %{?scl_prefix}php-json%{?_isa} = %{upver} +Provides: %{?scl_prefix}php-libxml, %{?scl_prefix}php-libxml%{?_isa} +Provides: %{?scl_prefix}php-openssl, %{?scl_prefix}php-openssl%{?_isa} +Provides: %{?scl_prefix}php-phar, %{?scl_prefix}php-phar%{?_isa} +Provides: %{?scl_prefix}php-pcre, %{?scl_prefix}php-pcre%{?_isa} +Provides: %{?scl_prefix}php-reflection, %{?scl_prefix}php-reflection%{?_isa} +Provides: %{?scl_prefix}php-session, %{?scl_prefix}php-session%{?_isa} +Provides: %{?scl_prefix}php-sockets, %{?scl_prefix}php-sockets%{?_isa} +Provides: %{?scl_prefix}php-spl, %{?scl_prefix}php-spl%{?_isa} +Provides: %{?scl_prefix}php-standard = %{version}, %{?scl_prefix}php-standard%{?_isa} = %{version} +Provides: %{?scl_prefix}php-tokenizer, %{?scl_prefix}php-tokenizer%{?_isa} +Provides: %{?scl_prefix}php-zlib, %{?scl_prefix}php-zlib%{?_isa} +%{?scl:Requires: %{scl}-runtime} + +%description common +The %{?scl_prefix}php-common package contains files used by both +the %{?scl_prefix}php package and the %{?scl_prefix}php-cli package. + +%package devel +Summary: Files needed for building PHP extensions +Requires: %{?scl_prefix}php-cli%{?_isa} = %{version}-%{release} +# always needed to build extension +Requires: autoconf +Requires: automake +Requires: make +Requires: gcc +Requires: gcc-c++ +Requires: libtool +# see "php-config --libs" +Requires: krb5-devel%{?_isa} +Requires: libxml2-devel%{?_isa} +Requires: openssl-devel%{?_isa} >= 1.0.1 +%if %{with libpcre} +Requires: pcre2-devel%{?_isa} >= 10.30 +%endif +Requires: zlib-devel%{?_isa} +%if 0%{?fedora} || 0%{?rhel} >= 8 +Recommends: php-nikic-php-parser4 >= 4.13.0 +%endif + +%description devel +The %{?scl_prefix}php-devel package contains the files needed for building PHP +extensions. If you need to compile your own PHP extensions, you will +need to install this package. + +%package opcache +Summary: The Zend OPcache +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +Provides: %{?scl_prefix}php-pecl-zendopcache = %{version} +Provides: %{?scl_prefix}php-pecl-zendopcache%{?_isa} = %{version} +Provides: %{?scl_prefix}php-pecl(opcache) = %{version} +Provides: %{?scl_prefix}php-pecl(opcache)%{?_isa} = %{version} + +%description opcache +The Zend OPcache provides faster PHP execution through opcode caching and +optimization. It improves PHP performance by storing precompiled script +bytecode in the shared memory. This eliminates the stages of reading code from +the disk and compiling it on future access. In addition, it applies a few +bytecode optimization patterns that make code execution faster. + +%if %{with imap} +%package imap +Summary: A module for PHP applications that use IMAP +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +BuildRequires: pkgconfig(krb5) +BuildRequires: pkgconfig(krb5-gssapi) +BuildRequires: openssl-devel >= 1.0.1 +BuildRequires: libc-client-devel + +%description imap +The %{?scl_prefix}php-imap module will add IMAP (Internet Message Access Protocol) +support to PHP. IMAP is a protocol for retrieving and uploading e-mail +messages on mail servers. PHP is an HTML-embedded scripting language. +%endif + +%package ldap +Summary: A module for PHP applications that use LDAP +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +BuildRequires: pkgconfig(libsasl2) +BuildRequires: openldap-devel +BuildRequires: openssl-devel >= 1.0.1 + +%description ldap +The %{?scl_prefix}php-ldap package adds Lightweight Directory Access Protocol (LDAP) +support to PHP. LDAP is a set of protocols for accessing directory +services over the Internet. PHP is an HTML-embedded scripting +language. + +%package pdo +Summary: A database access abstraction module for PHP applications +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +# ABI/API check - Arch specific +Provides: %{?scl_prefix}php-pdo-abi = %{pdover}-%{__isa_bits} +Provides: %{?scl_prefix}php(pdo-abi) = %{pdover}-%{__isa_bits} +%if %{with sqlite3} +Provides: %{?scl_prefix}php-sqlite3, %{?scl_prefix}php-sqlite3%{?_isa} +%endif +Provides: %{?scl_prefix}php-pdo_sqlite, %{?scl_prefix}php-pdo_sqlite%{?_isa} + +%description pdo +The %{?scl_prefix}php-pdo package contains a dynamic shared object that will add +a database access abstraction layer to PHP. This module provides +a common interface for accessing MySQL, PostgreSQL or other +databases. + +%package mysqlnd +Summary: A module for PHP applications that use MySQL databases +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-pdo%{?_isa} = %{version}-%{release} +Provides: %{?scl_prefix}php_database +Provides: %{?scl_prefix}php-mysqli = %{version}-%{release} +Provides: %{?scl_prefix}php-mysqli%{?_isa} = %{version}-%{release} +Provides: %{?scl_prefix}php-pdo_mysql, %{?scl_prefix}php-pdo_mysql%{?_isa} + +%description mysqlnd +The %{?scl_prefix}php-mysqlnd package contains a dynamic shared object that will add +MySQL database support to PHP. MySQL is an object-relational database +management system. PHP is an HTML-embeddable scripting language. If +you need MySQL support for PHP applications, you will need to install +this package and the php package. + +This package use the MySQL Native Driver + +%package pgsql +Summary: A PostgreSQL database module for PHP +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-pdo%{?_isa} = %{version}-%{release} +Provides: %{?scl_prefix}php_database +Provides: %{?scl_prefix}php-pdo_pgsql, %{?scl_prefix}php-pdo_pgsql%{?_isa} +BuildRequires: krb5-devel +BuildRequires: openssl-devel >= 1.0.1 +BuildRequires: postgresql-devel + +%description pgsql +The %{?scl_prefix}php-pgsql package add PostgreSQL database support to PHP. +PostgreSQL is an object-relational database management +system that supports almost all SQL constructs. PHP is an +HTML-embedded scripting language. If you need back-end support for +PostgreSQL, you should install this package in addition to the main +php package. + +%package process +Summary: Modules for PHP script using system process interfaces +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +Provides: %{?scl_prefix}php-posix, %{?scl_prefix}php-posix%{?_isa} +Provides: %{?scl_prefix}php-shmop, %{?scl_prefix}php-shmop%{?_isa} +Provides: %{?scl_prefix}php-sysvsem, %{?scl_prefix}php-sysvsem%{?_isa} +Provides: %{?scl_prefix}php-sysvshm, %{?scl_prefix}php-sysvshm%{?_isa} +Provides: %{?scl_prefix}php-sysvmsg, %{?scl_prefix}php-sysvmsg%{?_isa} + +%description process +The %{?scl_prefix}php-process package contains dynamic shared objects which add +support to PHP using system interfaces for inter-process +communication. + +%package odbc +Summary: A module for PHP applications that use ODBC databases +# All files licensed under PHP version 3.01, except +# pdo_odbc is licensed under PHP version 3.0 +License: PHP +Requires: %{?scl_prefix}php-pdo%{?_isa} = %{version}-%{release} +Provides: %{?scl_prefix}php_database +Provides: %{?scl_prefix}php-pdo_odbc, %{?scl_prefix}php-pdo_odbc%{?_isa} +# EL-7 version don't have pkgconfig +BuildRequires: unixODBC-devel + +%description odbc +The %{?scl_prefix}php-odbc package contains a dynamic shared object that will add +database support through ODBC to PHP. ODBC is an open specification +which provides a consistent API for developers to use for accessing +data sources (which are often, but not always, databases). PHP is an +HTML-embeddable scripting language. If you need ODBC support for PHP +applications, you will need to install this package and the php +package. + +%package soap +Summary: A module for PHP applications that use the SOAP protocol +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +BuildRequires: pkgconfig(libxml-2.0) + +%description soap +The %{?scl_prefix}php-soap package contains a dynamic shared object that will add +support to PHP for using the SOAP web services protocol. + +%if %{with firebird} +%package pdo-firebird +Summary: PDO driver for Interbase/Firebird databases +# All files licensed under PHP version 3.01 +License: PHP +BuildRequires: firebird-devel +Requires: %{?scl_prefix}php-pdo%{?_isa} = %{version}-%{release} +Provides: %{?scl_prefix}php_database +Provides: %{?scl_prefix}php-pdo_firebird, %{?scl_prefix}php-pdo_firebird%{?_isa} + +%description pdo-firebird +The %{?scl_prefix}php-pdo-firebird package contains the PDO driver for +Interbase/Firebird databases. + + +InterBase is the name of the closed-source variant of this RDBMS that was +developed by Borland/Inprise. + +Firebird is a commercially independent project of C and C++ programmers, +technical advisors and supporters developing and enhancing a multi-platform +relational database management system based on the source code released by +Inprise Corp (now known as Borland Software Corp) under the InterBase Public +License. +%endif + +%if %{with oci8} +%package oci8 +Summary: A module for PHP applications that use OCI8 databases +# All files licensed under PHP version 3.01 +License: PHP +BuildRequires: oracle-instantclient-devel >= %{oraclever} +Requires: %{?scl_prefix}php-pdo%{?_isa} = %{version}-%{release} +Provides: %{?scl_prefix}php_database +Provides: %{?scl_prefix}php-pdo_oci +Provides: %{?scl_prefix}php-pdo_oci%{?_isa} +Obsoletes: %{?scl_prefix}php-pecl-oci8 <= %{oci8ver} +Conflicts: %{?scl_prefix}php-pecl-oci8 > %{oci8ver} +Provides: %{?scl_prefix}php-pecl(oci8) = %{oci8ver} +Provides: %{?scl_prefix}php-pecl(oci8)%{?_isa} = %{oci8ver} +# Should requires libclntsh.so.18.3, but it's not provided by Oracle RPM. +AutoReq: 0 + +%description oci8 +The %{?scl_prefix}php-oci8 packages provides the OCI8 extension version %{oci8ver} +and the PDO driver to access Oracle Database. + +The extension is linked with Oracle client libraries %{oraclever} +(Oracle Instant Client). For details, see Oracle's note +"Oracle Client / Server Interoperability Support" (ID 207303.1). + +You must install libclntsh.so.%{oraclelib} to use this package, provided +in the database installation, or in the free Oracle Instant Client +available from Oracle. + +Notice: +- %{?scl_prefix}php-oci8 provides oci8 and pdo_oci extensions from php sources. +- %{?scl_prefix}php-pecl-oci8 only provides oci8 extension. + +Documentation is at http://php.net/oci8 and http://php.net/pdo_oci +%endif + +%package snmp +Summary: A module for PHP applications that query SNMP-managed devices +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release}, net-snmp +BuildRequires: net-snmp-devel + +%description snmp +The %{?scl_prefix}php-snmp package contains a dynamic shared object that will add +support for querying SNMP devices to PHP. PHP is an HTML-embeddable +scripting language. If you need SNMP support for PHP applications, you +will need to install this package and the php package. + +%package xml +Summary: A module for PHP applications which use XML +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +Provides: %{?scl_prefix}php-dom, %{?scl_prefix}php-dom%{?_isa} +Provides: %{?scl_prefix}php-domxml, %{?scl_prefix}php-domxml%{?_isa} +Provides: %{?scl_prefix}php-simplexml, %{?scl_prefix}php-simplexml%{?_isa} +Provides: %{?scl_prefix}php-xmlreader, %{?scl_prefix}php-xmlreader%{?_isa} +Provides: %{?scl_prefix}php-xmlwriter, %{?scl_prefix}php-xmlwriter%{?_isa} +Provides: %{?scl_prefix}php-xsl, %{?scl_prefix}php-xsl%{?_isa} +BuildRequires: pkgconfig(libxslt) >= 1.1 +BuildRequires: pkgconfig(libexslt) +BuildRequires: pkgconfig(libxml-2.0) >= 2.7.6 + +%description xml +The %{?scl_prefix}php-xml package contains dynamic shared objects which add support +to PHP for manipulating XML documents using the DOM tree, +and performing XSL transformations on XML documents. + +%package mbstring +Summary: A module for PHP applications which need multi-byte string handling +# All files licensed under PHP version 3.01, except +# libmbfl is licensed under LGPLv2 +# onigurama is licensed under BSD +# ucgendat is licensed under OpenLDAP +License: PHP and LGPLv2 and BSD and OpenLDAP +%if 0%{?rhel} +BuildRequires: oniguruma5php-devel +%else +BuildRequires: oniguruma-devel +%endif +Provides: bundled(libmbfl) = 1.3.2 +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} + +%description mbstring +The %{?scl_prefix}php-mbstring package contains a dynamic shared object that will add +support for multi-byte string handling to PHP. + +%package gd +Summary: A module for PHP applications for using the gd graphics library +# All files licensed under PHP version 3.01 +%if %{with libgd} +License: PHP +%else +# bundled libgd is licensed under BSD +License: PHP and BSD +%endif +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +%if %{with libgd} +BuildRequires: pkgconfig(gdlib) >= 2.3.3 +%else +# Required to build the bundled GD library +BuildRequires: pkgconfig(zlib) +BuildRequires: pkgconfig(libjpeg) +BuildRequires: pkgconfig(libpng) +BuildRequires: pkgconfig(freetype2) +BuildRequires: pkgconfig(xpm) +BuildRequires: pkgconfig(libwebp) +Provides: bundled(gd) = 2.0.35 +%endif + +%description gd +The %{?scl_prefix}php-gd package contains a dynamic shared object that will add +support for using the gd graphics library to PHP. + +%package bcmath +Summary: A module for PHP applications for using the bcmath library +# All files licensed under PHP version 3.01, except +# libbcmath is licensed under LGPLv2+ +License: PHP and LGPLv2+ +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +Provides: bundled(libbcmath) + +%description bcmath +The %{?scl_prefix}php-bcmath package contains a dynamic shared object that will add +support for using the bcmath library to PHP. + +%package gmp +Summary: A module for PHP applications for using the GNU MP library +# All files licensed under PHP version 3.01 +License: PHP +BuildRequires: gmp-devel +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} + +%description gmp +These functions allow you to work with arbitrary-length integers +using the GNU MP library. + +%package dba +Summary: A database abstraction layer module for PHP applications +# All files licensed under PHP version 3.01 +License: PHP +BuildRequires: libdb-devel +BuildRequires: tokyocabinet-devel +BuildRequires: lmdb-devel +%if %{with qdbm} +BuildRequires: qdbm-devel +%endif +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} + +%description dba +The %{?scl_prefix}php-dba package contains a dynamic shared object that will add +support for using the DBA database abstraction layer to PHP. + +%if %{with tidy} +%package tidy +Summary: Standard PHP module provides tidy library support +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +BuildRequires: libtidy-devel + +%description tidy +The %{?scl_prefix}php-tidy package contains a dynamic shared object that will add +support for using the tidy library to PHP. +%endif + +%if %{with freetds} +%package pdo-dblib +Summary: PDO driver for Microsoft SQL Server and Sybase databases +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-pdo%{?_isa} = %{version}-%{release} +BuildRequires: freetds-devel +Provides: %{?scl_prefix}php-pdo_dblib, %{?scl_prefix}php-pdo_dblib%{?_isa} + +%description pdo-dblib +The %{?scl_prefix}php-pdo-dblib package contains a dynamic shared object +that implements the PHP Data Objects (PDO) interface to enable access from +PHP to Microsoft SQL Server and Sybase databases through the FreeTDS library. +%endif + +%package pspell +Summary: A module for PHP applications for using pspell interfaces +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +BuildRequires: aspell-devel >= 0.50.0 + +%description pspell +The %{?scl_prefix}php-pspell package contains a dynamic shared object that will add +support for using the pspell library to PHP. + +%package intl +Summary: Internationalization extension for PHP applications +# All files licensed under PHP version 3.01 +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +BuildRequires: pkgconfig(icu-i18n) >= 69 +BuildRequires: pkgconfig(icu-io) >= 69 +BuildRequires: pkgconfig(icu-uc) >= 69 + +%description intl +The %{?scl_prefix}php-intl package contains a dynamic shared object that will add +support for using the ICU library to PHP. + +%if %{with enchant} +%package enchant +Summary: Enchant spelling extension for PHP applications +# All files licensed under PHP version 3.0 +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +BuildRequires: pkgconfig(enchant-2) + +%description enchant +The %{?scl_prefix}php-enchant package contains a dynamic shared object that will add +support for using the enchant library to PHP. +%endif + +%if %{with zip} +%package zip +Summary: ZIP archive management extension for PHP +# All files licensed under PHP version 3.0.1 +License: PHP +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +BuildRequires: pkgconfig(libzip) >= 0.11 + +%description zip +The %{?scl_prefix}php-zip package provides an extension that will add +support for ZIP archive management to PHP. +%endif + + +%package sodium +Summary: Wrapper for the Sodium cryptographic library +# All files licensed under PHP version 3.0.1 +License: PHP +# Minimal is 1.0.8, 1.0.14 is needed for argon2 password +BuildRequires: pkgconfig(libsodium) >= 1.0.14 + +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} +Obsoletes: %{?scl_prefix}php-pecl-libsodium2 < 3 +Provides: %{?scl_prefix}php-pecl(libsodium) = %{version} +Provides: %{?scl_prefix}php-pecl(libsodium)%{?_isa} = %{version} + +%description sodium +The %{?scl_prefix}php-sodium package provides a simple, +low-level PHP extension for the libsodium cryptographic library. + + +%package ffi +Summary: Foreign Function Interface +# All files licensed under PHP version 3.0.1 +License: PHP +BuildRequires: pkgconfig(libffi) + +Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} + +%description ffi +FFI is one of the features that made Python and LuaJIT very useful for fast +prototyping. It allows calling C functions and using C data types from pure +scripting language and therefore develop “system code” more productively. + +For PHP, FFI opens a way to write PHP extensions and bindings to C libraries +in pure PHP. + + +%prep +: Building %{name}-%{version}-%{release} +%if %{with lsws} +: With Litespeed SAPI +%endif +%if %{with oci8} +: With Oracle extensions +%endif +%if %{with enchant} +: With Enchant extensions +%endif +%if %{with imap} +: With Imap extensions +%endif +%if %{with firebird} +: With pdo_firebird extension +%endif +%if %{with freetds} +: With pdo_dblib extension +%endif +%if %{with sqlite3} +: With Sqlite3 extension +%endif +%if %{with tidy} +: With Tidy extension +%endif +%if %{with zip} +: With Zip extension +%endif +%if %{with tests} +: Run Test suite +%endif +%if %{with libgd} +: Use System libgd +%else +: Use Bundled libgd +%endif +%if %{with libpcre} +: Use System libpcre +%else +: Use Bundled libpcre +%endif +%if %{with dtrace} +: Enable Dtrace build +%endif + +%if 0%{?gh_date} +: no gpg check for git snapshot +%else +%{?gpgverify:%{gpgverify} --keyring='%{SOURCE20}' --signature='%{SOURCE21}' --data='%{SOURCE0}'} +%endif + +%if 0%{?gh_date} +%setup -q -n %{gh_project}-%{gh_commit} +%else +%setup -q -n php-%{upver}%{?rcver} +%endif + +%patch1 -p1 -b .mpmcheck +%patch5 -p1 -b .includedir +%patch6 -p1 -b .embed +%patch8 -p1 -b .libdb +%patch9 -p1 -b .deprecated +%if 0%{?rhel} +%patch10 -p1 -b .curltls +%endif + +%patch41 -p1 -b .syslib +%if 0%{?fedora} >= 30 || 0%{?rhel} >= 6 +%patch42 -p1 -b .systzdata +%endif +%patch43 -p1 -b .headers +sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in +%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7 +%patch45 -p1 -b .ldap_r +%endif +%patch46 -p1 -b .argon2 +%patch47 -p1 -b .phpinfo +%patch48 -p1 -b .sha +%patch49 -p1 -b .pharsha +%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9 +%patch50 -p1 -b .openssl3 +rm ext/openssl/tests/p12_with_extra_certs.p12 +%endif +%patch51 -p1 -b .libxcrypt + +%patch91 -p1 -b .remi-oci8 + +# upstream patches + +# security patches + +# Fixes for tests +%patch300 -p1 -b .datetests + +# WIP patch + +# Prevent %%doc confusion over LICENSE files +cp Zend/LICENSE ZEND_LICENSE +cp TSRM/LICENSE TSRM_LICENSE +cp sapi/fpm/LICENSE fpm_LICENSE +cp ext/mbstring/libmbfl/LICENSE libmbfl_LICENSE +cp ext/fileinfo/libmagic/LICENSE libmagic_LICENSE +cp ext/bcmath/libbcmath/LICENSE libbcmath_LICENSE +cp ext/date/lib/LICENSE.rst timelib_LICENSE + +# Multiple builds for multiple SAPIs +mkdir \ + build-fpm \ + build-apache \ + build-embedded \ + build-cgi + +# ----- Manage known as failed test ------- +# affected by systzdata patch +rm ext/date/tests/timezone_location_get.phpt +%if 0%{?fedora} < 28 +# need tzdata 2018i +rm ext/date/tests/bug33414-1.phpt +rm ext/date/tests/bug33415-2.phpt +rm ext/date/tests/date_modify-1.phpt +%endif +# too fast builder +rm ext/date/tests/bug73837.phpt +# fails sometime +rm ext/sockets/tests/mcast_ipv?_recv.phpt +# Should be skipped but fails sometime +rm ext/standard/tests/file/file_get_contents_error001.phpt +# cause stack exhausion +rm Zend/tests/bug54268.phpt +rm Zend/tests/bug68412.phpt +# slow and erratic result +rm sapi/cli/tests/upload_2G.phpt +# tar issue +rm ext/zlib/tests/004-mb.phpt + +# Safety check for API version change. +pver=$(sed -n '/#define PHP_VERSION /{s/.* "//;s/".*$//;p}' main/php_version.h) +if test "x${pver}" != "x%{upver}%{?rcver}%{!?rcver:%{?gh_date:-dev}}"; then + : Error: Upstream PHP version is now ${upver}, expecting %{upver}%{?rcver}%{!?rcver:%{?gh_date:-dev}}. + : Update the version/rcver macros and rebuild. + exit 1 +fi + +vapi=`sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h` +if test "x${vapi}" != "x%{apiver}"; then + : Error: Upstream API version is now ${vapi}, expecting %{apiver}. + : Update the apiver macro and rebuild. + exit 1 +fi + +vzend=`sed -n '/#define ZEND_MODULE_API_NO/{s/^[^0-9]*//;p;}' Zend/zend_modules.h` +if test "x${vzend}" != "x%{zendver}"; then + : Error: Upstream Zend ABI version is now ${vzend}, expecting %{zendver}. + : Update the zendver macro and rebuild. + exit 1 +fi + +# Safety check for PDO ABI version change +vpdo=`sed -n '/#define PDO_DRIVER_API/{s/.*[ ]//;p}' ext/pdo/php_pdo_driver.h` +if test "x${vpdo}" != "x%{pdover}"; then + : Error: Upstream PDO ABI version is now ${vpdo}, expecting %{pdover}. + : Update the pdover macro and rebuild. + exit 1 +fi + +# Check for some extension version +ver=$(sed -n '/#define PHP_OCI8_VERSION /{s/.* "//;s/".*$//;p}' ext/oci8/php_oci8.h) +if test "$ver" != "%{oci8ver}"; then + : Error: Upstream OCI8 version is now ${ver}, expecting %{oci8ver}. + : Update the oci8ver macro and rebuild. + exit 1 +fi + +# https://bugs.php.net/63362 - Not needed but installed headers. +# Drop some Windows specific headers to avoid installation, +# before build to ensure they are really not needed. +rm -f TSRM/tsrm_win32.h \ + TSRM/tsrm_config.w32.h \ + Zend/zend_config.w32.h \ + ext/mysqlnd/config-win.h \ + ext/standard/winver.h \ + main/win32_internal_function_disabled.h \ + main/win95nt.h + +# Fix some bogus permissions +find . -name \*.[ch] -exec chmod 644 {} \; +chmod 644 README.* + +# Create the macros.php files +sed -e "s/@PHP_APIVER@/%{apiver}-%{__isa_bits}/" \ + -e "s/@PHP_ZENDVER@/%{zendver}-%{__isa_bits}/" \ + -e "s/@PHP_PDOVER@/%{pdover}-%{__isa_bits}/" \ + -e "s/@PHP_VERSION@/%{upver}/" \ + -e "s:@LIBDIR@:%{_libdir}:" \ + -e "s:@ETCDIR@:%{_sysconfdir}:" \ + -e "s:@INCDIR@:%{_includedir}:" \ + -e "s:@BINDIR@:%{_bindir}:" \ + -e "s:@SCL@:%{?scl:%{scl}_}:" \ + %{SOURCE3} | tee macros.php +%if 0%{?fedora} >= 24 || 0%{?rhel} >= 8 +echo '%%%{?scl:%{scl}_}pecl_xmldir %{_localstatedir}/lib/php/peclxml' | tee -a macros.php +%endif + +# Some extensions have their own configuration file +cp %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE53} . + +sed -e 's:%{_root_sysconfdir}:%{_sysconfdir}:' \ + -i 10-opcache.ini +sed -e 's:%{_root_datadir}:%{_datadir}:' \ + -i 20-ffi.ini + +%if 0%{!?scl:1} +: SCL macro not defined +exit 1 +%endif + + +%build +# This package fails to build with LTO due to undefined symbols. LTO +# was disabled in OpenSuSE as well, but with no real explanation why +# beyond the undefined symbols. It really shold be investigated further. +# Disable LTO +%define _lto_cflags %{nil} + +%{?dtsenable} + +# Set build date from https://reproducible-builds.org/specs/source-date-epoch/ +export SOURCE_DATE_EPOCH=$(date +%s -r NEWS) +export PHP_UNAME=$(uname) +export PHP_BUILD_SYSTEM=$(cat /etc/redhat-release | sed -e 's/ Beta//') +%if 0%{?vendor:1} +export PHP_BUILD_PROVIDER="%{vendor}" +%endif +export PHP_BUILD_COMPILER="$(gcc --version | head -n1)" +export PHP_BUILD_ARCH="%{_arch}" + +# Force use of system libtool: +libtoolize --force --copy +cat $(aclocal --print-ac-dir)/{libtool,ltoptions,ltsugar,ltversion,lt~obsolete}.m4 >build/libtool.m4 + +%if 0%{?gh_date} +# Bison files +scripts/dev/genfiles +%endif + +# Regenerate configure scripts (patches change config.m4's) +touch configure.ac +./buildconf --force + +CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -Wno-pointer-sign" +export CFLAGS + +# Install extension modules in %{_libdir}/php/modules. +EXTENSION_DIR=%{_libdir}/php/modules; export EXTENSION_DIR + +# Set PEAR_INSTALLDIR to ensure that the hard-coded include_path +# includes the PEAR directory even though pear is packaged +# separately. +PEAR_INSTALLDIR=%{_datadir}/pear; export PEAR_INSTALLDIR + +# Shell function to configure and build a PHP tree. +build() { +# Old/recent bison version seems to produce a broken parser; +# upstream uses GNU Bison 2.3. Workaround: +mkdir Zend && cp ../Zend/zend_{language,ini}_{parser,scanner}.[ch] Zend + +# Always static: +# date, filter, libxml, reflection, spl: not supported +# hash: for PHAR_SIG_SHA256 and PHAR_SIG_SHA512 +# session: dep on hash, used by soap +# pcre: used by filter, zip +# pcntl, readline: only used by CLI sapi +# openssl: for PHAR_SIG_OPENSSL +# zlib: used by image + +ln -sf ../configure +%configure \ + --enable-rtld-now \ + --cache-file=../config.cache \ + --with-libdir=%{_lib} \ + --with-config-file-path=%{_sysconfdir} \ + --with-config-file-scan-dir=%{_sysconfdir}/php.d \ + --disable-debug \ + --with-pic \ + --disable-rpath \ + --without-pear \ + --with-exec-dir=%{_bindir} \ + --without-gdbm \ + --with-openssl \ + --with-system-ciphers \ +%if %{with libpcre} + --with-external-pcre \ +%endif +%if %{with libxcrypt} + --with-external-libcrypt \ +%endif + --with-zlib \ + --with-layout=GNU \ + --with-kerberos \ + --with-libxml \ +%if 0%{?fedora} >= 28 || 0%{?rhel} >= 6 + --with-system-tzdata \ +%endif + --with-mhash \ + --without-password-argon2 \ +%if %{with dtrace} + --enable-dtrace \ +%endif + $* +if test $? != 0; then + tail -500 config.log + : configure failed + exit 1 +fi + +make %{?_smp_mflags} +} + +# Build /usr/bin/php-cgi with the CGI SAPI, and most the shared extensions +pushd build-cgi + +build --libdir=%{_libdir}/php \ + --enable-pcntl \ + --enable-opcache \ + --enable-opcache-file \ + --enable-phpdbg \ +%if %{with imap} + --with-imap=shared --with-imap-ssl \ +%endif + --enable-mbstring=shared \ + --enable-mbregex \ + --enable-gd=shared \ +%if %{with libgd} + --with-external-gd \ +%else + --with-webp \ + --with-jpeg \ + --with-xpm \ + --with-freetype \ +%endif + --with-gmp=shared \ + --enable-calendar=shared \ + --enable-bcmath=shared \ + --with-bz2=shared \ + --enable-ctype=shared \ + --enable-dba=shared --with-db4=%{_root_prefix} \ + --with-tcadb=%{_root_prefix} \ + --with-lmdb=%{_root_prefix} \ +%if %{with qdbm} + --with-qdbm=%{_root_prefix} \ +%endif + --enable-exif=shared \ + --enable-ftp=shared \ + --with-gettext=shared \ + --with-iconv=shared \ + --enable-sockets=shared \ + --enable-tokenizer=shared \ + --with-ldap=shared --with-ldap-sasl \ + --enable-mysqlnd=shared \ + --with-mysqli=shared,mysqlnd \ + --with-mysql-sock=%{mysql_sock} \ +%if %{with oci8} + --with-oci8=shared,instantclient,%{_root_libdir}/oracle/%{oraclever}/client64/lib,%{oraclever} \ + --with-pdo-oci=shared,instantclient,%{_root_libdir}/oracle/%{oraclever}/client64/lib,%{oraclever} \ +%endif +%if %{with firebird} + --with-pdo-firebird=shared \ +%endif + --enable-dom=shared \ + --with-pgsql=shared \ + --enable-simplexml=shared \ + --enable-xml=shared \ + --with-snmp=shared,%{_root_prefix} \ + --enable-soap=shared \ + --with-xsl=shared,%{_root_prefix} \ + --enable-xmlreader=shared --enable-xmlwriter=shared \ + --with-curl=shared \ + --enable-pdo=shared \ + --with-pdo-odbc=shared,unixODBC,%{_root_prefix} \ + --with-pdo-mysql=shared,mysqlnd \ + --with-pdo-pgsql=shared,%{_root_prefix} \ + --with-pdo-sqlite=shared \ +%if %{with sqlite3} + --with-sqlite3=shared \ +%else + --without-sqlite3 \ +%endif +%if %{with zip} + --with-zip=shared \ +%endif + --without-readline \ + --with-libedit \ + --with-pspell=shared \ + --enable-phar=shared \ +%if %{with tidy} + --with-tidy=shared,%{_root_prefix} \ +%endif +%if %{with freetds} + --with-pdo-dblib=shared,%{_root_prefix} \ +%endif + --enable-sysvmsg=shared --enable-sysvshm=shared --enable-sysvsem=shared \ + --enable-shmop=shared \ + --enable-posix=shared \ + --with-unixODBC=shared,%{_root_prefix} \ + --enable-intl=shared \ +%if %{with enchant} + --with-enchant=shared \ +%endif + --enable-fileinfo=shared \ + --with-ffi=shared \ + --with-sodium=shared +popd + +without_shared="--disable-gd \ + --disable-dom --disable-dba --without-unixODBC \ + --disable-opcache \ + --disable-phpdbg \ + --without-ffi \ + --disable-xmlreader --disable-xmlwriter \ + --without-sodium \ + --without-sqlite3 --disable-phar --disable-fileinfo \ + --without-pspell \ + --without-curl --disable-posix --disable-xml \ + --disable-simplexml --disable-exif --without-gettext \ + --without-iconv --disable-ftp --without-bz2 --disable-ctype \ + --disable-shmop --disable-sockets --disable-tokenizer \ + --disable-sysvmsg --disable-sysvshm --disable-sysvsem" + +# Build Apache module, and the CLI SAPI, /usr/bin/php +pushd build-apache +build --with-apxs2=%{_httpd_apxs} \ + --libdir=%{_libdir}/php \ +%if %{with lsws} + --enable-litespeed \ +%endif + --without-mysqli \ + --disable-pdo \ + ${without_shared} +popd + +# Build php-fpm +pushd build-fpm +build --enable-fpm \ + --with-fpm-systemd \ + --with-fpm-acl \ + --libdir=%{_libdir}/php \ + --without-mysqli \ + --disable-pdo \ + ${without_shared} +popd + +# Build for inclusion as embedded script language into applications, +# /usr/lib[64]/libphp.so +pushd build-embedded +build --enable-embed \ + --without-mysqli \ + --disable-pdo \ + ${without_shared} +popd + + +%check +%if %{with tests} +cd build-fpm + +# Run tests, using the CLI SAPI +export NO_INTERACTION=1 REPORT_EXIT_STATUS=1 MALLOC_CHECK_=2 +export SKIP_ONLINE_TESTS=1 +export SKIP_IO_CAPTURE_TESTS=1 +unset TZ LANG LC_ALL +if ! make test TESTS=-j4; then + set +x + for f in $(find .. -name \*.diff -type f -print); do + if ! grep -q XFAIL "${f/.diff/.phpt}" + then + echo "TEST FAILURE: $f --" + head -n 100 "$f" + echo -e "\n-- $f result ends." + fi + done + set -x + #exit 1 +fi +unset NO_INTERACTION REPORT_EXIT_STATUS MALLOC_CHECK_ +%endif + + +%install +%{?dtsenable} + +# Install the version for embedded script language in applications + php_embed.h +make -C build-embedded install-sapi install-headers \ + INSTALL_ROOT=$RPM_BUILD_ROOT + +# Install the php-fpm binary +make -C build-fpm install-fpm \ + INSTALL_ROOT=$RPM_BUILD_ROOT + +# Install everything from the CGI SAPI build +make -C build-cgi install \ + INSTALL_ROOT=$RPM_BUILD_ROOT + +# Use php-config from embed SAPI to reduce used libs +install -m 755 build-embedded/scripts/php-config $RPM_BUILD_ROOT%{_bindir}/php-config + +# Install the default configuration file +install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/ +install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/php.ini +sed -e 's:%{_root_sysconfdir}:%{_sysconfdir}:' \ + -i $RPM_BUILD_ROOT%{_sysconfdir}/php.ini + +# For third-party packaging: +install -m 755 -d $RPM_BUILD_ROOT%{_datadir}/php/preload + +# install the DSO +install -m 755 -d $RPM_BUILD_ROOT%{_httpd_moddir} +install -m 755 build-apache/libs/libphp.so $RPM_BUILD_ROOT%{_httpd_moddir} + +# Apache config fragment +%if %{?scl:1}0 +sed -e 's/libphp/lib%{scl}/' %{SOURCE9} >modconf +install -m 755 -d $RPM_BUILD_ROOT%{_root_httpd_moddir} +ln -s %{_httpd_moddir}/libphp.so $RPM_BUILD_ROOT%{_root_httpd_moddir}/lib%{scl}.so +%else +cp %{SOURCE9} modconf +%endif + +# Dual config file with httpd >= 2.4 (RHEL >= 7) +install -D -m 644 modconf $RPM_BUILD_ROOT%{_httpd_modconfdir}/20-%{name}.conf +install -D -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_httpd_confdir}/%{name}.conf +%if %{with_httpd2410} +cat %{SOURCE10} >>$RPM_BUILD_ROOT%{_httpd_confdir}/%{name}.conf +%endif + +sed -e 's:/var/lib:%{_localstatedir}/lib:' \ + -i $RPM_BUILD_ROOT%{_httpd_confdir}/%{name}.conf + +install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/php.d +install -m 755 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/php +install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/php/session +install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/php/wsdlcache +install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/php/opcache +%if 0%{?fedora} >= 24 || 0%{?rhel} >= 8 +install -m 755 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/php/peclxml +install -m 755 -d $RPM_BUILD_ROOT%{_docdir}/pecl +install -m 755 -d $RPM_BUILD_ROOT%{_datadir}/tests/pecl +%endif + +%if %{with lsws} +install -m 755 build-apache/sapi/litespeed/php $RPM_BUILD_ROOT%{_bindir}/lsphp +%endif + +# PHP-FPM stuff +# Log +install -m 755 -d $RPM_BUILD_ROOT%{_localstatedir}/log/php-fpm +install -m 755 -d $RPM_BUILD_ROOT%{_localstatedir}/run/php-fpm +# Config +install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.d +install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.conf +sed -e 's:/run:%{_localstatedir}/run:' \ + -e 's:/var/log:%{_localstatedir}/log:' \ + -e 's:/etc:%{_sysconfdir}:' \ + -i $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.conf +install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.d/www.conf +sed -e 's:/var/lib:%{_localstatedir}/lib:' \ + -e 's:/var/log:%{_localstatedir}/log:' \ + -i $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.d/www.conf +mv $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.conf.default . +mv $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.d/www.conf.default . +# tmpfiles.d +# install -m 755 -d $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d +# install -m 644 php-fpm.tmpfiles $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/php-fpm.conf +# install systemd unit files and scripts for handling server startup +install -Dm 644 %{SOURCE6} $RPM_BUILD_ROOT%{_unitdir}/%{?scl_prefix}php-fpm.service +%if 0%{?fedora} >= 27 || 0%{?rhel} >= 8 +install -Dm 644 %{SOURCE12} $RPM_BUILD_ROOT%{_unitdir}/httpd.service.d/%{?scl_prefix}php-fpm.conf +install -Dm 644 %{SOURCE12} $RPM_BUILD_ROOT%{_unitdir}/nginx.service.d/%{?scl_prefix}php-fpm.conf +sed -e 's/php-fpm/%{?scl_prefix}php-fpm/' -i $RPM_BUILD_ROOT%{_unitdir}/*.service.d/%{?scl_prefix}php-fpm.conf +%endif +sed -e 's:/run:%{_localstatedir}/run:' \ + -e 's:/etc/sysconfig:%{_sysconfdir}/sysconfig:' \ + -e 's:php-fpm.service:%{?scl_prefix}php-fpm.service:' \ + -e 's:/usr/sbin:%{_sbindir}:' \ + -i $RPM_BUILD_ROOT%{_unitdir}/%{?scl_prefix}php-fpm.service +# this folder requires systemd >= 204 +install -m 755 -d $RPM_BUILD_ROOT%{_root_sysconfdir}/systemd/system/%{?scl_prefix}php-fpm.service.d + +%if %{with_httpd2410} +# Switch to UDS +# FPM +sed -e 's@127.0.0.1:9000@%{_localstatedir}/run/php-fpm/www.sock@' \ + -e 's@^;listen.acl_users@listen.acl_users@' \ + -i $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.d/www.conf +# Apache +sed -e 's@proxy:fcgi://127.0.0.1:9000@proxy:unix:%{_localstatedir}/run/php-fpm/www.sock|fcgi://localhost@' \ + -i $RPM_BUILD_ROOT%{_httpd_confdir}/%{name}.conf +%endif + +# LogRotate +install -m 755 -d $RPM_BUILD_ROOT%{_root_sysconfdir}/logrotate.d +install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_root_sysconfdir}/logrotate.d/%{?scl_prefix}php-fpm +sed -e 's:/run:%{_localstatedir}/run:' \ + -e 's:/var/log:%{_localstatedir}/log:' \ + -i $RPM_BUILD_ROOT%{_root_sysconfdir}/logrotate.d/%{?scl_prefix}php-fpm + +# Environment file +%if 0%{?fedora} >= 26 || 0%{?rhel} >= 8 +sed -e '/EnvironmentFile/d' -i $RPM_BUILD_ROOT%{_unitdir}/%{?scl_prefix}php-fpm.service +%else +install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig +install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/php-fpm +sed -e 's:php-fpm.service:%{?scl_prefix}php-fpm.service:' \ + -i $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/php-fpm +%endif + +# make the cli commands available in standard root for SCL build +%if 0%{?scl:1} +install -m 755 -d $RPM_BUILD_ROOT%{_root_bindir} +ln -s %{_bindir}/php $RPM_BUILD_ROOT%{_root_bindir}/%{scl} +ln -s %{_bindir}/php-cgi $RPM_BUILD_ROOT%{_root_bindir}/%{scl}-cgi +ln -s %{_bindir}/phar.phar $RPM_BUILD_ROOT%{_root_bindir}/%{scl_prefix}phar +ln -s %{_bindir}/phpdbg $RPM_BUILD_ROOT%{_root_bindir}/%{scl_prefix}phpdbg +%if %{with lsws} +ln -s %{_bindir}/lsphp $RPM_BUILD_ROOT%{_root_bindir}/ls%{scl} +%endif +%endif + +TESTCMD="$RPM_BUILD_ROOT%{_bindir}/php --no-php-ini" +# Ensure all provided extensions are really there +for mod in core date filter hash json libxml openssl pcntl pcre readline reflection session spl standard zlib +do + $TESTCMD --modules | grep -i "$mod\$" +done + +TESTCMD="$TESTCMD --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/php/modules" + +# Generate files lists and stub .ini files for each subpackage +for mod in pgsql odbc ldap snmp \ + mysqlnd mysqli \ +%if %{with imap} + imap \ +%endif + mbstring gd dom xsl soap bcmath dba \ + simplexml bz2 calendar ctype exif ftp gettext gmp iconv \ + sockets tokenizer opcache \ + pdo \ +%if %{with sqlite3} + sqlite3 \ +%endif +%if %{with enchant} + enchant \ +%endif + ffi \ + phar fileinfo intl \ +%if %{with tidy} + tidy \ +%endif +%if %{with zip} + zip \ +%endif + sodium \ + pspell curl xml \ + posix shmop sysvshm sysvsem sysvmsg \ + pdo_mysql pdo_pgsql pdo_odbc pdo_sqlite \ +%if %{with oci8} + oci8 pdo_oci \ +%endif +%if %{with firebird} + pdo_firebird \ +%endif +%if %{with freetds} + pdo_dblib \ +%endif + xmlreader xmlwriter +do + # for extension load order + case $mod in + opcache) + # Zend extensions + TESTCMD="$TESTCMD --define zend_extension=$mod" + ini=10-${mod}.ini;; + pdo_*|mysqli|xmlreader) + # Extensions with dependencies on 20-* + TESTCMD="$TESTCMD --define extension=$mod" + ini=30-${mod}.ini;; + *) + TESTCMD="$TESTCMD --define extension=$mod" + # Extensions with no dependency + ini=20-${mod}.ini;; + esac + + $TESTCMD --modules | grep -i "$mod\$" + + # some extensions have their own config file + if [ -f ${ini} ]; then + cp -p ${ini} $RPM_BUILD_ROOT%{_sysconfdir}/php.d/${ini} + else + cat > $RPM_BUILD_ROOT%{_sysconfdir}/php.d/${ini} <<EOF +; Enable ${mod} extension module +extension=${mod} +EOF + fi + cat > files.${mod} <<EOF +%{_libdir}/php/modules/${mod}.so +%config(noreplace) %{_sysconfdir}/php.d/${ini} +EOF +done + +# The dom, xsl and xml* modules are all packaged in php-xml +cat files.dom files.xsl files.xml{reader,writer} \ + files.simplexml >> files.xml + +# mysqlnd +cat files.mysqli \ + files.pdo_mysql \ + >> files.mysqlnd + +# Split out the PDO modules +cat files.pdo_pgsql >> files.pgsql +cat files.pdo_odbc >> files.odbc +%if %{with oci8} +cat files.pdo_oci >> files.oci8 +%endif + +# sysv* and posix in packaged in php-process +cat files.shmop files.sysv* files.posix > files.process + +# Package sqlite3 and pdo_sqlite with pdo; isolating the sqlite dependency +# isn't useful at this time since rpm itself requires sqlite. +cat files.pdo_sqlite >> files.pdo +%if %{with sqlite3} +cat files.sqlite3 >> files.pdo +%endif + +# Package curl, phar and fileinfo in -common. +cat files.curl files.phar files.fileinfo \ + files.exif files.gettext files.iconv files.calendar \ + files.ftp files.bz2 files.ctype files.sockets \ + files.tokenizer > files.common + +# The default Zend OPcache blacklist file +install -m 644 opcache-default.blacklist $RPM_BUILD_ROOT%{_sysconfdir}/php.d/opcache-default.blacklist + +# Install the macros file: +install -m 644 -D macros.php \ + $RPM_BUILD_ROOT%{macrosdir}/macros.%{name} + +# Remove unpackaged files +rm -rf $RPM_BUILD_ROOT%{_libdir}/php/modules/*.a \ + $RPM_BUILD_ROOT%{_bindir}/{phptar} \ + $RPM_BUILD_ROOT%{_datadir}/pear \ + $RPM_BUILD_ROOT%{_libdir}/libphp.a \ + $RPM_BUILD_ROOT%{_libdir}/libphp.la + +# Remove irrelevant docs +rm -f README.{Zeus,QNX,CVS-RULES} + + +%if ! %{with_httpd2410} +%pre fpm +# Add the "apache" user (to avoid pulling httpd in our dep) +getent group apache >/dev/null || \ + groupadd -g 48 -r apache +getent passwd apache >/dev/null || \ + useradd -r -u 48 -g apache -s /sbin/nologin \ + -d %{_httpd_contentdir} -c "Apache" apache +exit 0 +%endif + +%post fpm +%systemd_post %{?scl:%{scl}-}php-fpm.service + +%preun fpm +%systemd_preun %{?scl:%{scl}-}php-fpm.service + +%if 0%{?fedora} < 27 && 0%{?rhel} < 8 +%postun fpm +%systemd_postun_with_restart %{?scl:%{scl}-}php-fpm.service +%endif + +%if 0%{?fedora} >= 27 || 0%{?rhel} >= 8 +# Raised by new pool installation or new extension installation +%transfiletriggerin fpm -- %{_sysconfdir}/php-fpm.d %{_sysconfdir}/php.d +systemctl try-restart %{?scl:%{scl}-}php-fpm.service >/dev/null 2>&1 || : +%endif + +# Handle upgrading from SysV initscript to native systemd unit. +# We can tell if a SysV version of php-fpm was previously installed by +# checking to see if the initscript is present. +%triggerun fpm -- %{?scl_prefix}php-fpm +if [ -f /etc/rc.d/init.d/%{?scl_prefix}php-fpm ]; then + # Save the current service runlevel info + # User must manually run systemd-sysv-convert --apply php-fpm + # to migrate them to systemd targets + /usr/bin/systemd-sysv-convert --save %{?scl_prefix}php-fpm >/dev/null 2>&1 || : + + # Run these because the SysV package being removed won't do them + /sbin/chkconfig --del %{?scl_prefix}php-fpm >/dev/null 2>&1 || : + /bin/systemctl try-restart %{?scl_prefix}php-fpm.service >/dev/null 2>&1 || : +fi + + +%if 0%{?fedora} < 28 && 0%{?rhel} < 8 +%post embedded -p /sbin/ldconfig +%postun embedded -p /sbin/ldconfig +%endif + + +%{!?_licensedir:%global license %%doc} + +%files +%{_httpd_moddir}/libphp.so +%if 0%{?scl:1} +%dir %{_libdir}/httpd +%dir %{_libdir}/httpd/modules +%{_root_httpd_moddir}/lib%{scl}.so +%endif +%attr(0770,root,apache) %dir %{_localstatedir}/lib/php/session +%attr(0770,root,apache) %dir %{_localstatedir}/lib/php/wsdlcache +%attr(0770,root,apache) %dir %{_localstatedir}/lib/php/opcache +%config(noreplace) %{_httpd_confdir}/%{name}.conf +%config(noreplace) %{_httpd_modconfdir}/20-%{name}.conf + +%files common -f files.common +%doc EXTENSIONS NEWS UPGRADING* README.REDIST.BINS *md docs +%license LICENSE TSRM_LICENSE ZEND_LICENSE +%license libmagic_LICENSE +%license timelib_LICENSE +%doc php.ini-* +%config(noreplace) %{_sysconfdir}/php.ini +%dir %{_sysconfdir}/php.d +%dir %{_libdir}/php +%dir %{_libdir}/php/modules +%dir %{_localstatedir}/lib/php +%dir %{_datadir}/php +%if 0%{?fedora} >= 24 || 0%{?rhel} >= 8 +%dir %{_localstatedir}/lib/php/peclxml +%dir %{_docdir}/pecl +%dir %{_datadir}/tests +%dir %{_datadir}/tests/pecl +%endif + +%files cli +%{_bindir}/php +%{_bindir}/php-cgi +%{_bindir}/phar.phar +%{_bindir}/phar +# provides phpize here (not in -devel) for pecl command +%{_bindir}/phpize +%{_mandir}/man1/php.1* +%{_mandir}/man1/php-cgi.1* +%{_mandir}/man1/phar.1* +%{_mandir}/man1/phar.phar.1* +%{_mandir}/man1/phpize.1* +%if 0%{?scl:1} +%{_root_bindir}/%{scl} +%{_root_bindir}/%{scl}-cgi +%{_root_bindir}/%{scl_prefix}phar +%endif + +%files dbg +%{_bindir}/phpdbg +%{_mandir}/man1/phpdbg.1* +%doc sapi/phpdbg/CREDITS +%if 0%{?scl:1} +%{_root_bindir}/%{scl_prefix}phpdbg +%endif + +%files fpm +%doc php-fpm.conf.default www.conf.default +%license fpm_LICENSE +%attr(0770,root,apache) %dir %{_localstatedir}/lib/php/session +%attr(0770,root,apache) %dir %{_localstatedir}/lib/php/wsdlcache +%attr(0770,root,apache) %dir %{_localstatedir}/lib/php/opcache +%if %{with_httpd2410} +%config(noreplace) %{_httpd_confdir}/%{name}.conf +%endif +%config(noreplace) %{_sysconfdir}/php-fpm.conf +%config(noreplace) %{_sysconfdir}/php-fpm.d/www.conf +%config(noreplace) %{_root_sysconfdir}/logrotate.d/%{?scl_prefix}php-fpm +%if 0%{?fedora} < 26 && 0%{?rhel} < 8 +%config(noreplace) %{_sysconfdir}/sysconfig/php-fpm +%endif +# {_prefix}/lib/tmpfiles.d/php-fpm.conf +%{_unitdir}/%{?scl_prefix}php-fpm.service +%dir %{_root_sysconfdir}/systemd/system/%{?scl_prefix}php-fpm.service.d +%if 0%{?fedora} >= 27 || 0%{?rhel} >= 8 +%{_unitdir}/httpd.service.d/%{?scl_prefix}php-fpm.conf +%{_unitdir}/nginx.service.d/%{?scl_prefix}php-fpm.conf +%endif +%{_sbindir}/php-fpm +%dir %{_sysconfdir}/php-fpm.d +# log owned by apache for log +%attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm +%dir %{_localstatedir}/run/php-fpm +%{_mandir}/man8/php-fpm.8* +%dir %{_datadir}/fpm +%{_datadir}/fpm/status.html + +%if %{with lsws} +%files litespeed +%{_bindir}/lsphp +%if 0%{?scl:1} +%{_root_bindir}/ls%{scl} +%endif +%endif + +%files embedded +%{_libdir}/libphp.so +%{_libdir}/libphp-%{embed_version}.so + +%files devel +%{_bindir}/php-config +%{_includedir}/php +%{_libdir}/php/build +%{_mandir}/man1/php-config.1* +%{macrosdir}/macros.%{name} + +%files pgsql -f files.pgsql +%files odbc -f files.odbc +%if %{with imap} +%files imap -f files.imap +%endif +%files ldap -f files.ldap +%files snmp -f files.snmp +%files xml -f files.xml +%files mbstring -f files.mbstring +%license libmbfl_LICENSE +%files gd -f files.gd +%files soap -f files.soap +%files bcmath -f files.bcmath +%license libbcmath_LICENSE +%files gmp -f files.gmp +%files dba -f files.dba +%files pdo -f files.pdo +%if %{with tidy} +%files tidy -f files.tidy +%endif +%if %{with freetds} +%files pdo-dblib -f files.pdo_dblib +%endif +%files pspell -f files.pspell +%files intl -f files.intl +%files process -f files.process +%if %{with firebird} +%files pdo-firebird -f files.pdo_firebird +%endif +%if %{with enchant} +%files enchant -f files.enchant +%endif +%files mysqlnd -f files.mysqlnd +%files opcache -f files.opcache +%config(noreplace) %{_sysconfdir}/php.d/opcache-default.blacklist +%if %{with oci8} +%files oci8 -f files.oci8 +%endif +%if %{with zip} +%files zip -f files.zip +%endif +%files sodium -f files.sodium +%files ffi -f files.ffi +%dir %{_datadir}/php/preload + + +%changelog +* Tue May 10 2022 Remi Collet <remi@remirepo.net> - 8.0.19-1 +- Update to 8.0.19 - http://www.php.net/releases/8_0_19.php +- use oracle client library version 21.6 + +* Tue Apr 26 2022 Remi Collet <remi@remirepo.net> - 8.0.19~RC1-1 +- update to 8.0.19RC1 + +* Wed Apr 13 2022 Remi Collet <remi@remirepo.net> - 8.0.18-1 +- Update to 8.0.18 - http://www.php.net/releases/8_0_18.php + +* Thu Mar 31 2022 Remi Collet <remi@remirepo.net> - 8.0.18~RC1-1 +- update to 8.0.18RC1 + +* Tue Mar 15 2022 Remi Collet <remi@remirepo.net> - 8.0.17-1 +- Update to 8.0.17 - http://www.php.net/releases/8_0_17.php + +* Wed Mar 2 2022 Remi Collet <remi@remirepo.net> - 8.0.17~RC1-1 +- update to 8.0.17RC1 + +* Tue Feb 22 2022 Remi Collet <remi@remirepo.net> - 8.0.16-2 +- retrieve tzdata version +- use oracle client library version 21.5 + +* Wed Feb 16 2022 Remi Collet <remi@remirepo.net> - 8.0.16-1 +- Update to 8.0.16 - http://www.php.net/releases/8_0_16.php + +* Thu Feb 3 2022 Remi Collet <remi@remirepo.net> - 8.0.16~RC1-1 +- update to 8.0.16RC1 + +* Tue Jan 18 2022 Remi Collet <remi@remirepo.net> - 8.0.15-1 +- Update to 8.0.15 - http://www.php.net/releases/8_0_15.php + +* Wed Jan 5 2022 Remi Collet <remi@remirepo.net> - 8.0.15~RC1-1 +- update to 8.0.15RC1 + +* Thu Dec 16 2021 Remi Collet <remi@remirepo.net> - 8.0.14-1 +- Update to 8.0.14 - http://www.php.net/releases/8_0_14.php + +* Thu Dec 2 2021 Remi Collet <remi@remirepo.net> - 8.0.14~RC1-2 +- ensure we use libgd >= 2.3 + +* Thu Dec 2 2021 Remi Collet <remi@remirepo.net> - 8.0.14~RC1-1 +- update to 8.0.14RC1 +- use oracle client library version 21.4 + +* Wed Nov 17 2021 Remi Collet <remi@remirepo.net> - 8.0.13-1 +- Update to 8.0.13 - http://www.php.net/releases/8_0_13.php + +* Wed Nov 3 2021 Remi Collet <remi@remirepo.net> - 8.0.13~RC1-1 +- update to 8.0.13RC1 + +* Tue Oct 26 2021 Remi Collet <remi@remirepo.net> - 8.0.12-3 +- dba: enable qdbm backend + +* Tue Oct 26 2021 Remi Collet <remi@remirepo.net> - 8.0.12-2 +- add patch for OpenSSL 3.0 on F36 and EL9 + +* Tue Oct 19 2021 Remi Collet <remi@remirepo.net> - 8.0.12-1 +- Update to 8.0.12 - http://www.php.net/releases/8_0_12.php + +* Mon Oct 18 2021 Remi Collet <remi@remirepo.net> - 8.0.12~RC1-2 +- build using system libxcrypt (Fedora) + +* Wed Oct 6 2021 Remi Collet <remi@remirepo.net> - 8.0.12~RC1-1 +- update to 8.0.12RC1 +- use libicu version 69 + +* Wed Sep 22 2021 Remi Collet <remi@remirepo.net> - 8.0.11-1 +- Update to 8.0.11 - http://www.php.net/releases/8_0_11.php + +* Tue Sep 7 2021 Remi Collet <remi@remirepo.net> - 8.0.11~RC1-1 +- update to 8.0.11RC1 +- use oracle client library version 21.3 + +* Tue Aug 24 2021 Remi Collet <remi@remirepo.net> - 8.0.10-1 +- Update to 8.0.10 - http://www.php.net/releases/8_0_10.php + +* Wed Aug 11 2021 Remi Collet <remi@remirepo.net> - 8.0.10~RC1-2 +- phar: switch to sha256 signature by default, backported from 8.1 +- phar: implement openssl_256 and openssl_512 for signatures, backported from 8.1 +- snmp: add sha256 / sha512 security protocol, backported from 8.1 + +* Tue Aug 10 2021 Remi Collet <remi@remirepo.net> - 8.0.10~RC1-1 +- update to 8.0.10RC1 +- adapt systzdata patch for timelib 2020.03 (v20) + +* Tue Aug 3 2021 Remi Collet <remi@remirepo.net> - 8.0.9-2 +- add upstream patch for https://bugs.php.net/81325 segfault in simplexml + +* Thu Jul 29 2021 Remi Collet <remi@remirepo.net> - 8.0.9-1 +- Update to 8.0.9 - http://www.php.net/releases/8_0_9.php + +* Tue Jul 13 2021 Remi Collet <remi@remirepo.net> - 8.0.9~RC1-1 +- update to 8.0.9RC1 + +* Tue Jun 29 2021 Remi Collet <remi@remirepo.net> - 8.0.8-1 +- Update to 8.0.8 - http://www.php.net/releases/8_0_8.php + +* Tue Jun 15 2021 Remi Collet <remi@remirepo.net> - 8.0.8~RC1-1 +- update to 8.0.8RC1 +- ignore unsupported "threads" option on password_hash + +* Wed Jun 2 2021 Remi Collet <remi@remirepo.net> - 8.0.7-1 +- Update to 8.0.7 - http://www.php.net/releases/8_0_7.php + +* Thu May 20 2021 Remi Collet <remi@remirepo.net> - 8.0.7~RC1-1 +- update to 8.0.7RC1 + +* Sat May 8 2021 Remi Collet <remi@remirepo.net> - 8.0.6-2 +- get rid of inet_ntoa, inet_aton, inet_addr and gethostbyaddr calls + +* Wed May 5 2021 Remi Collet <remi@remirepo.net> - 8.0.6-1 +- Update to 8.0.6 - http://www.php.net/releases/8_0_6.php + +* Tue Apr 27 2021 Remi Collet <remi@remirepo.net> - 8.0.5-1 +- Update to 8.0.5 - http://www.php.net/releases/8_0_5.php + +* Tue Apr 13 2021 Remi Collet <remi@remirepo.net> - 8.0.5~RC1-1 +- update to 8.0.5RC1 + +* Tue Mar 16 2021 Remi Collet <remi@remirepo.net> - 8.0.4~RC1-1 +- update to 8.0.4RC1 +- use oracle client library version 21.1 + +* Wed Mar 3 2021 Remi Collet <remi@remirepo.net> - 8.0.3-1 +- Update to 8.0.3 - http://www.php.net/releases/8_0_3.php + +* Thu Feb 18 2021 Remi Collet <remi@remirepo.net> - 8.0.3~RC1-1 +- update to 8.0.3RC1 + +* Tue Feb 2 2021 Remi Collet <remi@remirepo.net> - 8.0.2-1 +- Update to 8.0.2 - http://www.php.net/releases/8_0_2.php + +* Thu Jan 28 2021 Remi Collet <remi@remirepo.net> - 8.0.2~RC1-2 +- add upstream patch for https://bugs.php.net/80682 + fix opcache doesn't honour pcre.jit option + +* Tue Jan 19 2021 Remi Collet <remi@remirepo.net> - 8.0.2~RC1-1 +- update to 8.0.2RC1 +- oci8 version is now 3.0.1 + +* Tue Jan 5 2021 Remi Collet <remi@remirepo.net> - 8.0.1-1 +- Update to 8.0.1 - http://www.php.net/releases/8_0_1.php + +* Tue Jan 5 2021 Remi Collet <remi@remirepo.net> - 8.0.1~RC1-2 +- test build for new upstream patch (from 8.1) + +* Tue Dec 15 2020 Remi Collet <remi@remirepo.net> - 8.0.1~RC1-1 +- update to 8.0.1RC1 + +* Tue Dec 8 2020 Remi Collet <remi@remirepo.net> - 8.0.0-2 +- fix service dependency name +- add dependency on make for devel + +* Wed Nov 25 2020 Remi Collet <remi@remirepo.net> - 8.0.0-1 +- update to 8.0.0 GA + +* Wed Nov 18 2020 Remi Collet <remi@remirepo.net> - 8.0.0~rc5-38 +- update to 8.0.0RC5 +- use oracle client library version 19.9 + +* Tue Nov 10 2020 Remi Collet <remi@remirepo.net> - 8.0.0~rc4-37 +- update to 8.0.0RC4 + +* Tue Oct 27 2020 Remi Collet <remi@remirepo.net> - 8.0.0~rc3-36 +- update to 8.0.0RC3 + +* Wed Oct 14 2020 Remi Collet <remi@remirepo.net> - 8.0.0~rc2-35 +- update to 8.0.0RC2 + +* Wed Sep 30 2020 Remi Collet <remi@remirepo.net> - 8.0.0~rc1-34 +- update to 8.0.0rc1 +- bump ABI/API versions + +* Thu Sep 17 2020 Remi Collet <remi@remirepo.net> - 8.0.0~beta4-33 +- use %%bcond_without for dtrace, libgd, firebird, lsws, libpcre, imap + tidy, freetds, sqlite3, enchant so can be disabled during rebuild +- use %%bcond_with for libgd, libpcre, oci8, and zip + so can be enabled during rebuild + +* Wed Sep 16 2020 Remi Collet <remi@remirepo.net> - 8.0.0~beta4-32 +- update to 8.0.0beta4 + +* Wed Sep 2 2020 Remi Collet <remi@remirepo.net> - 8.0.0~beta3-31 +- update to 8.0.0beta3 +- adapt systzdata patch (v19) + +* Wed Aug 26 2020 Remi Collet <remi@remirepo.net> - 8.0.0~beta2-30 +- build with upstream fix for zend_call_method + +* Wed Aug 19 2020 Remi Collet <remi@remirepo.net> - 8.0.0~beta2-29 +- update to 8.0.0beta2 + +* Thu Aug 13 2020 Remi Collet <remi@remirepo.net> - 8.0.0~beta1-28 +- use oracle client library version 19.8 + +* Wed Aug 5 2020 Remi Collet <remi@remirepo.net> - 8.0.0~beta1-27 +- update to 8.0.0beta1 +- bump ABI/API versions + +* Tue Jul 21 2020 Remi Collet <remi@remirepo.net> - 8.0.0~alpha3-26 +- update to 8.0.0alpha3 +- oci8 version is now 3.0.0 + +* Fri Jul 10 2020 Remi Collet <remi@remirepo.net> - 8.0.0~alpha2-25 +- rebuild using ICU 65 + +* Thu Jul 9 2020 Remi Collet <remi@remirepo.net> - 8.0.0~alpha2-24 +- rebuild 1 upstream patch + +* Tue Jul 7 2020 Remi Collet <remi@remirepo.net> - 8.0.0~alpha2-23 +- update to 8.0.0alpha2 +- display build system and provider in phpinfo + +* Thu Jun 25 2020 Remi Collet <remi@remirepo.net> - 8.0.0~alpha1-22 +- add upstream patch to use hash in gen_stub.php + +* Wed Jun 24 2020 Remi Collet <remi@remirepo.net> - 8.0.0~alpha1-21 +- use system nikic/php-parser if available to generate + C headers from PHP stub +- switch from "runselftest" option to bcond_without tests + +* Wed Jun 24 2020 Remi Collet <remi@remirepo.net> - 8.0.0~alpha1-20 +- update to 8.0.0alpha1 + +* Mon Jun 15 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200615-19 +- new snapshot + +* Tue Jun 9 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200609-18 +- new snapshot +- rebuild using oniguruma5php + +* Mon Jun 8 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200608-17 +- new snapshot +- drop patch to fix PHP_UNAME + +* Tue Jun 2 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200602-16 +- new snapshot +- drop xmlrpc extension + +* Wed May 27 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200527-15 +- new snapshot +- json is now build statically + +* Wed May 27 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200526-14 +- new snapshot +- build phpdbg only once + +* Tue May 26 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200526-13 +- new snapshot + +* Wed May 20 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200519-12 +- use php-config from embed SAPI to reduce used libs + +* Tue May 19 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200519-11 +- new snapshot + +* Wed May 13 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200513-10 +- new snapshot + +* Wed May 13 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200513-9 +- new snapshot + +* Mon May 4 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200504-8 +- new snapshot +- enchant: use libenchant-2 instead of libenchant + +* Tue Apr 28 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200428-7 +- new snapshot +- test build for https://github.com/php/php-src/pull/5480 + +* Mon Apr 27 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200427-6 +- new snapshot +- fix tag=disable-static + +* Mon Apr 27 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200427-5 +- new snapshot +- revert changes to use non PIC object files + +* Wed Apr 22 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200422-4 +- new snapshot + +* Wed Apr 15 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200415-3 +- new snapshot + +* Fri Apr 10 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200409-2 +- new snapshot +- refresh php.ini from upstream +- rename 15-php80-php.conf to 20-php70-php.conf to ensure load order + +* Thu Apr 9 2020 Remi Collet <remi@remirepo.net> - 8.0.0~DEV.20200409-1 +- update to 8.0.0-dev + +* Tue Mar 31 2020 Remi Collet <remi@remirepo.net> - 7.4.5~RC1-1 +- update to 7.4.5RC1 + +* Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 7.4.4-1 +- Update to 7.4.4 - http://www.php.net/releases/7_4_4.php +- use oracle client library version 19.6 (18.5 on EL-6) + +* Tue Mar 3 2020 Remi Collet <remi@remirepo.net> - 7.4.4~RC1-1 +- update to 7.4.4RC1 + +* Tue Feb 18 2020 Remi Collet <remi@remirepo.net> - 7.4.3-1 +- Update to 7.4.3 - http://www.php.net/releases/7_4_3.php + +* Tue Feb 4 2020 Remi Collet <remi@remirepo.net> - 7.4.3~RC1-1 +- update to 7.4.3RC1 + +* Tue Jan 28 2020 Remi Collet <remi@remirepo.net> - 7.4.2-2 +- make sodium mandatory on EL-7, to avoid user confusion + https://github.com/remicollet/remirepo/issues/137 + +* Tue Jan 21 2020 Remi Collet <remi@remirepo.net> - 7.4.2-1 +- Update to 7.4.2 - http://www.php.net/releases/7_4_2.php + +* Tue Jan 7 2020 Remi Collet <remi@remirepo.net> - 7.4.2~RC1-1 +- update to 7.4.2RC1 + +* Wed Dec 18 2019 Remi Collet <remi@remirepo.net> - 7.4.1-1 +- Update to 7.4.1 - http://www.php.net/releases/7_4_1.php + +* Wed Dec 11 2019 Remi Collet <remi@remirepo.net> - 7.4.1~RC1-1 +- update to 7.4.1RC1 +- use oracle client library version 19.5 + +* Wed Nov 27 2019 Remi Collet <remi@remirepo.net> - 7.4.0-1 +- update to 7.4.0 GA + +* Mon Nov 11 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc6-34 +- update to 7.4.0RC6 + +* Tue Oct 29 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc5-33 +- update to 7.4.0RC5 +- set opcache.enable_cli in provided default configuration + +* Fri Oct 25 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc4-32 +- add /usr/share/php/preload as default ffi.preload configuration + +* Thu Oct 24 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc4-31 +- allow wildcards in ffi.preload + +* Wed Oct 23 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc4-30 +- fix preload, add more upstream patches for #78713 #78716 + +* Mon Oct 21 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc4-29 +- fix preload, add upstream patch for #78512 + +* Tue Oct 15 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc4-28 +- update to 7.4.0RC4 + +* Fri Oct 11 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc3-27 +- test build with more upstream patches + +* Thu Oct 10 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc3-26 +- fix librt issue on F31 using upstream patch + +* Mon Oct 7 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc3-25 +- ensure all shared extensions can be loaded + +* Fri Oct 4 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc3-24 +- fix broken intl extension on EL-7 + +* Tue Oct 1 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc3-23 +- update to 7.4.0RC3 + +* Fri Sep 20 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc2-22 +- fix broken gmp extension https://bugs.php.net/78574 + +* Tue Sep 17 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc2-21 +- update to 7.4.0RC2 (new tag) + +* Tue Sep 17 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc2-19 +- update to 7.4.0RC2 +- add tarball signature check +- reduce to 4 concurrent test workers + +* Tue Sep 3 2019 Remi Collet <remi@remirepo.net> - 7.4.0~rc1-18 +- update to 7.4.0RC1 +- bump API number to 20190902 + +* Tue Aug 20 2019 Remi Collet <remi@remirepo.net> - 7.4.0~beta4-17 +- update to 7.4.0beta4 + +* Tue Aug 6 2019 Remi Collet <remi@remirepo.net> - 7.4.0~beta2-16 +- update to 7.4.0beta2 + +* Wed Jul 24 2019 Remi Collet <remi@remirepo.net> - 7.4.0~beta1-15 +- update to 7.4.0beta1 (new tag) + +* Tue Jul 23 2019 Remi Collet <remi@remirepo.net> - 7.4.0~beta1-14 +- update to 7.4.0beta1 +- main package now recommends commonly used extensions and SAPI + (json, mbstring, opcache, pdo, xml) +- fix gd build options and dependencies +- refresh provided configuration from upstream production values + +* Fri Jul 12 2019 Remi Collet <remi@remirepo.net> - 7.4.0~alpha3-13 +- drop recode extension, moved to php-pecl-recode +- add upstream patch for argon2 password + +* Tue Jul 9 2019 Remi Collet <remi@remirepo.net> - 7.4.0~alpha3-12 +- update to 7.4.0alpha3 +- drop argon2 dependency using libsodium implementation + +* Tue Jun 25 2019 Remi Collet <remi@remirepo.net> - 7.4.0~alpha2-11 +- update to 7.4.0alpha2 + +* Mon Jun 17 2019 Remi Collet <remi@remirepo.net> - 7.4.0~alpha1-10 +- use oracle client library version 19.3 + +* Wed Jun 12 2019 Remi Collet <remi@remirepo.net> - 7.4.0~alpha1-9 +- add 3 upstream patches + +* Wed Jun 12 2019 Remi Collet <remi@remirepo.net> - 7.4.0~alpha1-8 +- update to 7.4.0alpha1 + +* Wed Jun 12 2019 Remi Collet <remi@remirepo.net> - 7.4.0~DEV.20190612-7 +- new snapshot +- use pkgconfig dependencies for libxslt, libexslt, libsasl2, libargon2 + +* Wed Jun 5 2019 Remi Collet <remi@remirepo.net> - 7.4.0~DEV.20190605-6 +- new snapshot + +* Wed May 29 2019 Remi Collet <remi@remirepo.net> - 7.4.0~DEV.20190529-5 +- new snapshot +- bump ABI version +- add patch for old unixODBC from + https://github.com/php/php-src/pull/4203 + +* Tue May 28 2019 Remi Collet <remi@remirepo.net> - 7.4.0~DEV.20190528-4 +- new snapshot + +* Wed May 22 2019 Remi Collet <remi@remirepo.net> - 7.4.0~DEV.20190522-3 +- new snapshot with configuration updated from upstream + +* Tue May 21 2019 Remi Collet <remi@remirepo.net> - 7.4.0~DEV.20190521-2 +- new snapshot for enchant and sodium fix + +* Tue May 21 2019 Remi Collet <remi@remirepo.net> - 7.4.0~DEV.20190521-1 +- new snapshot for sqlite3 fix + +* Mon May 20 2019 Remi Collet <remi@remirepo.net> - 7.4.0~DEV.20190520-1 +- update to 7.4.0-dev +- drop interbase extension and sub-package +- move pdo_firebird extension in pdo-firebird sub-package +- drop wddx extension +- add ffi extension in new ffi sub-package +- use pkgconfig dependencies for ext using PHP_CHECK_MODULE + +* Wed May 15 2019 Remi Collet <remi@remirepo.net> - 7.3.6~RC1-2 +- update to 7.3.6RC1 (new tag) + +* Tue May 14 2019 Remi Collet <remi@remirepo.net> - 7.3.6~RC1-1 +- update to 7.3.6RC1 + +* Wed May 1 2019 Remi Collet <remi@remirepo.net> - 7.3.5-2 +- test build for https://bugs.php.net/77653 + patch from https://github.com/php/php-src/pull/4007 + +* Wed May 1 2019 Remi Collet <remi@remirepo.net> - 7.3.5-1 +- Update to 7.3.5 - http://www.php.net/releases/7_3_5.php + +* Tue Apr 16 2019 Remi Collet <remi@remirepo.net> - 7.3.5~RC1-1 +- update to 7.3.5RC1 + +* Fri Apr 5 2019 Remi Collet <remi@remirepo.net> - 7.3.4-3 +- build with system oniguruma5 + +* Wed Apr 3 2019 Remi Collet <remi@remirepo.net> - 7.3.4-2 +- test build for https://bugs.php.net/77653 + patch from https://github.com/php/php-src/pull/4007 + +* Tue Apr 2 2019 Remi Collet <remi@remirepo.net> - 7.3.4-1 +- Update to 7.3.4 - http://www.php.net/releases/7_3_4.php + +* Thu Mar 21 2019 Remi Collet <remi@remirepo.net> - 7.3.4~RC1-2 +- update to 7.3.4RC1 new tag +- add upstream patches for failed tests + +* Tue Mar 19 2019 Remi Collet <remi@remirepo.net> - 7.3.4~RC1-1 +- update to 7.3.4RC1 + +* Tue Mar 5 2019 Remi Collet <remi@remirepo.net> - 7.3.3-1 +- Update to 7.3.3 - http://www.php.net/releases/7_3_3.php +- add upstream patch for OpenSSL 1.1.1b + +* Fri Feb 22 2019 Remi Collet <remi@remirepo.net> - 7.3.3~RC1-2 +- php-devel: drop dependency on libicu-devel + +* Tue Feb 19 2019 Remi Collet <remi@remirepo.net> - 7.3.3~RC1-1 +- update to 7.3.3RC1 +- adapt systzdata patch (v18) + +* Mon Feb 18 2019 Remi Collet <remi@remirepo.net> - 7.3.2-3 +- pdo_oci: backport PDOStatement::getColumnMeta from 7.4 + +* Thu Feb 7 2019 Remi Collet <remi@remirepo.net> - 7.3.2-2 +- rebuild using libicu62 + +* Tue Feb 5 2019 Remi Collet <remi@remirepo.net> - 7.3.2-1 +- Update to 7.3.2 - http://www.php.net/releases/7_3_2.php + +* Tue Jan 22 2019 Remi Collet <remi@remirepo.net> - 7.3.2~RC1-1 +- update to 7.3.2RC1 +- update system tzdata patch for timelib 2018.01 + +* Thu Jan 17 2019 Remi Collet <remi@remirepo.net> 7.3.1-3 +- cleanup for EL-8 + +* Wed Jan 16 2019 Remi Collet <remi@remirepo.net> - 7.3.1-2 +- test build for https://bugs.php.net/77430 + +* Tue Jan 8 2019 Remi Collet <remi@remirepo.net> - 7.3.1-1 +- Update to 7.3.1 - http://www.php.net/releases/7_3_1.php + +* Tue Dec 18 2018 Remi Collet <remi@remirepo.net> - 7.3.1~RC1-1 +- update to 7.3.1RC1 +- oci8 version is now 2.2.0 + +* Tue Dec 4 2018 Remi Collet <remi@remirepo.net> - 7.3.0-1 +- update to 7.3.0 GA +- update FPM configuration from upstream + +* Tue Nov 20 2018 Remi Collet <remi@remirepo.net> - 7.3.0~rc6-1 +- update to 7.3.0RC6 + +* Tue Nov 6 2018 Remi Collet <remi@remirepo.net> - 7.3.0~rc5-1 +- update to 7.3.0RC5 + +* Mon Nov 5 2018 Remi Collet <remi@remirepo.net> - 7.3.0~rc4-2 +- test build for https://github.com/php/php-src/pull/3652 + +* Tue Oct 23 2018 Remi Collet <remi@remirepo.net> - 7.3.0~rc4-1 +- update to 7.3.0RC4 + +* Tue Oct 9 2018 Remi Collet <remi@remirepo.net> - 7.3.0~rc3-1 +- update to 7.3.0RC3 + +* Tue Sep 25 2018 Remi Collet <remi@remirepo.net> - 7.3.0~rc2-1 +- update to 7.3.0RC2 +- use oracle client library version 18.3 + +* Tue Sep 11 2018 Remi Collet <remi@remirepo.net> - 7.3.0~rc1-1 +- update to 7.3.0RC1 +- with oniguruma 6.9.0 + +* Mon Sep 3 2018 Remi Collet <remi@remirepo.net> - 7.3.0~beta3-3 +- add upstream patch for openssl failing test + +* Tue Aug 28 2018 Remi Collet <remi@remirepo.net> - 7.3.0~beta3-2 +- add upstream patch for F29 + +* Tue Aug 28 2018 Remi Collet <remi@remirepo.net> - 7.3.0~beta3-1 +- update to 7.3.0beta3 + +* Thu Aug 16 2018 Remi Collet <remi@remirepo.net> - 7.3.0~beta2-1 +- update to 7.3.0beta2 +- bump API numbers + +* Tue Jul 17 2018 Remi Collet <remi@remirepo.net> - 7.3.0~alpha4-1 +- update to 7.3.0alpha4 + +* Tue Jul 3 2018 Remi Collet <remi@remirepo.net> - 7.3.0~alpha3-1 +- update to 7.3.0alpha3 + +* Thu Jun 21 2018 Remi Collet <remi@remirepo.net> - 7.3.0~alpha2-2 +- update to 7.3.0alpha2 new sources + +* Tue Jun 19 2018 Remi Collet <remi@remirepo.net> - 7.3.0~alpha2-1 +- update to 7.3.0alpha2 +- bump php(zend-abi) and php(api) to 20180606 +- revert 5dd1ef90caec3021e6ce55c8554e695edf641eaf + +* Thu Jun 7 2018 Remi Collet <remi@remirepo.net> - 7.3.0~alpha1-1 +- update to 7.3.0alpha1 +- switch from pcre to pcre2 + +* Wed Jun 6 2018 Remi Collet <remi@remirepo.net> - 7.2.7~RC1-1 +- update to 7.2.7RC1 + +* Wed May 23 2018 Remi Collet <remi@remirepo.net> - 7.2.6-1 +- Update to 7.2.6 - http://www.php.net/releases/7_2_6.php + +* Mon May 14 2018 Remi Collet <remi@remirepo.net> - 7.2.6~RC1-2 +- rebuild against EL 7.5 + +* Sun May 13 2018 Remi Collet <remi@remirepo.net> - 7.2.6~RC1-1 +- update to 7.2.6RC1 + +* Tue Apr 24 2018 Remi Collet <remi@remirepo.net> - 7.2.5-1 +- Update to 7.2.5 - http://www.php.net/releases/7_2_5.php + +* Wed Apr 11 2018 Remi Collet <remi@remirepo.net> - 7.2.5~RC1-1 +- update to 7.2.5RC1 + +* Tue Apr 3 2018 Remi Collet <remi@remirepo.net> - 7.2.4-2 +- add upstream patch for oniguruma 6.8.1, FTBFS #1562583 + +* Tue Mar 27 2018 Remi Collet <remi@remirepo.net> - 7.2.4-1 +- Update to 7.2.4 - http://www.php.net/releases/7_2_4.php +- FPM: update default pool configuration for process.dumpable + +* Thu Mar 15 2018 Remi Collet <remi@remirepo.net> - 7.2.4~RC1-2 +- add file trigger to restart the php-fpm service + when new pool or new extension installed (F27+) + +* Tue Mar 13 2018 Remi Collet <remi@remirepo.net> - 7.2.4~RC1-1 +- update to 7.2.4RC1 + +* Fri Mar 2 2018 Remi Collet <remi@remirepo.net> - 7.2.3-2 +- devel: drop dependency on devtoolset + +* Wed Feb 28 2018 Remi Collet <remi@remirepo.net> - 7.2.3-1 +- Update to 7.2.3 - http://www.php.net/releases/7_2_3.php +- FPM: revert pid file removal +- improve devel dependencies + +* Wed Feb 14 2018 Remi Collet <remi@remirepo.net> - 7.2.3~RC1-3 +- rebuild for new tag and drop patch merged upstream +- drop ldconfig scriptlets on F28 + +* Wed Feb 14 2018 Remi Collet <remi@remirepo.net> - 7.2.3~RC1-2 +- update to 7.2.3RC1 +- adapt systzdata, fixheader and ldap_r patches +- apply upstream patch for date ext + +* Tue Jan 30 2018 Remi Collet <remi@remirepo.net> - 7.2.2-1 +- Update to 7.2.2 - http://www.php.net/releases/7_2_2.php + +* Tue Jan 16 2018 Remi Collet <remi@remirepo.net> - 7.2.2~RC1-1 +- update to 7.2.2RC1 +- define SOURCE_DATE_EPOCH for reproducible build + +* Wed Jan 3 2018 Remi Collet <remi@remirepo.net> - 7.2.1-1 +- Update to 7.2.1 - http://www.php.net/releases/7_2_1.php + +* Fri Dec 29 2017 Remi Collet <remi@remirepo.net> - 7.2.1~RC1-2 +- add upstream patch for https://bugs.php.net/75579 + +* Wed Dec 13 2017 Remi Collet <remi@remirepo.net> - 7.2.1~RC1-1 +- update to 7.2.1RC1 + +* Tue Nov 28 2017 Remi Collet <remi@remirepo.net> - 7.2.0-1 +- update to 7.2.0 GA + +* Tue Nov 7 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.31.RC6 +- update to 7.2.0RC6 + +* Tue Oct 24 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.30.RC5 +- update to 7.2.0RC5 + +* Wed Oct 18 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.29.RC4 +- enable argon2 password hash + +* Tue Oct 10 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.28.RC4 +- update to 7.2.0RC4 +- oci8 version is now 2.1.8 + +* Thu Sep 28 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.27.RC3 +- dont obsolete php72-php-pecl-libsodium + +* Tue Sep 26 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.26.RC3 +- update to 7.2.0RC3 + +* Mon Sep 25 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.25.RC3 +- RC3 test build +- F27: php now requires php-fpm and start it with httpd / nginx + +* Thu Sep 14 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.24.RC2 +- update builder from RHEL 7.3 to RHEL 7.4 + +* Wed Sep 13 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.23.RC2 +- update to 7.2.0RC2 + +* Thu Aug 31 2017 Remi Collet <remi@fedoraproject.org> - 7.2.0-0.22.RC1 +- add patch for EL-6, fix undefined symbol: sqlite3_errstr + +* Tue Aug 29 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.21.RC1 +- update to 7.2.0RC1 + +* Mon Aug 28 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.19.20170827.c22cda5 +- test build from git snapshot +- refresh configuration files, sync with upstream, drop .so suffix + +* Sun Aug 27 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.18.20170828.cc57774 +- test build from git snapshot + +* Tue Aug 22 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.17.20170822.3fff74a +- test build from git snapshot +- adapt tzdata patch for timelib 2017.05beta7 +- disable httpd MPM check + +* Tue Aug 15 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.16.beta3 +- update to 7.2.0beta3 + +* Tue Aug 1 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.15.beta2 +- add patch for EL-6, fix undefined symbol: sqlite3_errstr +- revert use of sqlite3_close_v2 on EL-6 + +* Tue Aug 1 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.14.beta2 +- update to 7.2.0beta2 +- oci8 version is now 2.1.7 + +* Tue Jul 18 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.13.beta1 +- update to 7.2.0beta1 +- oci8 version is now 2.1.6 +- bump apiver and zendver to 20170718 + +* Tue Jul 11 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.12.20170611.249f75e +- test build +- add sodium extension in new sub-package + +* Tue Jul 4 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.11.alpha3 +- update to 7.2.0alpha3 + +* Tue Jun 20 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.9.alpha2 +- update to 7.2.0alpha2 +- oci8 version is now 2.1.5 +- use oracle instant client version 12.2 + +* Tue Jun 6 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.8.alpha1 +- update to 7.2.0alpha1 + +* Fri Jun 2 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.7.20170602.a86c87d +- new snapshot +- use system oniguruma (F26) + +* Mon May 29 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.6.20170529.37a16a3 +- new snapshot + +* Mon May 29 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.5.alpha0 +- test build for release process test, 7.2.0alpha0 +- dba: add --with-lmdb build option + +* Tue May 16 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.4.20170516.0722a01 +- new snapshot + +* Sat May 6 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.3.20170504.5af997e +- new snapshot, May the 4th be with you +- enable PHP execution of .phar files, see #1117140 + +* Tue Apr 25 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.2.20170424.eb68c0d +- refresh + +* Wed Apr 12 2017 Remi Collet <remi@remirepo.net> - 7.2.0-0.1.20170412.efeab78 +- update to 7.2.0-dev +- drop mcrypt subpackage (removed upstream) + +* Tue Apr 11 2017 Remi Collet <remi@fedoraproject.org> - 7.1.4-1 +- Update to 7.1.4 - http://www.php.net/releases/7_1_4.php + +* Tue Mar 28 2017 Remi Collet <remi@fedoraproject.org> - 7.1.4-0.1.RC1 +- Update to 7.1.4RC1 + +* Tue Mar 14 2017 Remi Collet <remi@fedoraproject.org> - 7.1.3-1 +- Update to 7.1.3 - http://www.php.net/releases/7_1_3.php + +* Fri Mar 10 2017 Remi Collet <remi@fedoraproject.org> - 7.1.3-0.2.RC1 +- fix interbase build on F26 + +* Tue Feb 28 2017 Remi Collet <remi@fedoraproject.org> - 7.1.3-0.1.RC1 +- Update to 7.1.3RC1 + +* Wed Feb 15 2017 Remi Collet <remi@fedoraproject.org> - 7.1.2-1 +- Update to 7.1.2 - http://www.php.net/releases/7_1_2.php + +* Thu Feb 2 2017 Remi Collet <remi@fedoraproject.org> - 7.1.2-0.2.RC1 +- Update to 7.1.2RC1 (new sources) + +* Wed Feb 1 2017 Remi Collet <remi@fedoraproject.org> 7.1.2-0.1.RC1 +- Update to 7.1.2RC1 + +* Wed Jan 18 2017 Remi Collet <remi@fedoraproject.org> 7.1.1-3 +- EL-7: add patch for https://bugs.php.net/73956 +- switch back to gcc 6.2 + +* Wed Jan 18 2017 Remi Collet <remi@fedoraproject.org> 7.1.1-2 +- EL-7: rebuild using gcc 4.8 instead of 6.2 + because of https://bugzilla.redhat.com/1414348 + +* Wed Jan 18 2017 Remi Collet <remi@fedoraproject.org> 7.1.1-1 +- Update to 7.1.1 - http://www.php.net/releases/7_1_1.php + +* Thu Jan 5 2017 Remi Collet <remi@fedoraproject.org> 7.1.1-0.1.RC1 +- Update to 7.1.1RC1 + +* Mon Dec 26 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-2 +- test optimized build using GCC 6.2 + +* Thu Dec 1 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-1 +- Update to 7.1.0 - http://www.php.net/releases/7_1_0.php +- use bundled pcre library 8.38 on EL-7 +- disable pcre.jit everywhere as it raise AVC #1398474 +- sync provided configuration with upstream production defaults + +* Wed Nov 9 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.13.RC6 +- Update to 7.1.0RC6 + +* Wed Oct 26 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.12.RC5 +- Update to 7.1.0RC5 + +* Mon Oct 17 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.11.RC4 +- Update to 7.1.0RC4 +- update tzdata patch to v14, improve check for valid tz file +- oci8 version is now 2.1.3 + +* Wed Oct 5 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.10.RC3 +- rebuild + +* Thu Sep 29 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.9.RC3 +- Update to 7.1.0RC3 + +* Wed Sep 14 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.8.RC2 +- Update to 7.1.0RC2 +- API version is now 20160303 + +* Thu Sep 1 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.8.RC1 +- Update to 7.1.0RC1 +- oci8 version is now 2.1.2 + +* Wed Aug 3 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.7.beta2 +- Update to 7.1.0beta2 + +* Thu Jul 21 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.6.beta1 +- Update to 7.1.0beta1 + +* Wed Jul 6 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.5.alpha3 +- Update to 7.1.0alpha3 + +* Thu Jun 30 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.4.alpha2 +- own tests/doc directories for pecl packages (f24) + +* Wed Jun 22 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.3.alpha2 +- Update to 7.1.0alpha2 (rebuild) + +* Wed Jun 22 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.2.alpha2 +- Update to 7.1.0alpha2 + +* Wed Jun 8 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.1.alpha1 +- Update to 7.1.0alpha1 + +* Wed May 25 2016 Remi Collet <remi@fedoraproject.org> 7.0.7-1 +- Update to 7.0.7 - http://www.php.net/releases/7_0_7.php + +* Thu May 12 2016 Remi Collet <remi@fedoraproject.org> 7.0.7-0.1.RC1 +- Update to 7.0.7RC1 +- oci8 version is now 2.1.1 + +* Thu Apr 28 2016 Remi Collet <remi@fedoraproject.org> 7.0.6-3 +- Update to 7.0.6 - http://www.php.net/releases/7_0_6.php +- rebuild for new sources + +* Wed Apr 27 2016 Remi Collet <remi@fedoraproject.org> 7.0.6-2 +- Update to 7.0.6 + http://www.php.net/releases/7_0_6.php + +* Tue Apr 12 2016 Remi Collet <remi@fedoraproject.org> 7.0.6-0.2.RC1 +- Update to 7.0.6RC1 + +* Fri Apr 8 2016 Remi Collet <remi@fedoraproject.org> 7.0.5-2 +- Fixed bug #71914 (Reference is lost in "switch") + +* Wed Mar 30 2016 Remi Collet <remi@fedoraproject.org> 7.0.5-1 +- Update to 7.0.5 + http://www.php.net/releases/7_0_5.php + +* Wed Mar 16 2016 Remi Collet <remi@fedoraproject.org> 7.0.5-0.1.RC1 +- Update to 7.0.5RC1 + +* Sun Mar 6 2016 Remi Collet <remi@fedoraproject.org> 7.0.4-2 +- adapt for F24: define %%pecl_xmldir and own it + +* Wed Mar 2 2016 Remi Collet <remi@fedoraproject.org> 7.0.4-1 +- Update to 7.0.4 + http://www.php.net/releases/7_0_4.php +- pcre: disables JIT compilation of patterns with system pcre < 8.38 + +* Thu Feb 18 2016 Remi Collet <remi@fedoraproject.org> 7.0.4-0.1.RC1 +- Update to 7.0.4RC1 + +* Wed Feb 3 2016 Remi Collet <remi@fedoraproject.org> 7.0.3-1 +- Update to 7.0.3 + http://www.php.net/releases/7_0_3.php + +* Fri Jan 29 2016 Remi Collet <remi@fedoraproject.org> 7.0.3-0.3.20160129gitdd3d10c +- test build + +* Fri Jan 29 2016 Remi Collet <remi@fedoraproject.org> 7.0.3-0.2.RC1 +- FPM: test build for https://bugs.php.net/62172 + +* Wed Jan 20 2016 Remi Collet <remi@fedoraproject.org> 7.0.3-0.1.RC1 +- Update to 7.0.3RC1 + +* Wed Jan 6 2016 Remi Collet <remi@fedoraproject.org> 7.0.2-1 +- Update to 7.0.2 + http://www.php.net/releases/7_0_2.php + +* Sun Dec 27 2015 Remi Collet <remi@fedoraproject.org> 7.0.2-0.1.RC1 +- Update to 7.0.2RC1 +- opcache: build with --disable-huge-code-pages on EL-6 + +* Wed Dec 16 2015 Remi Collet <remi@fedoraproject.org> 7.0.1-1 +- Update to 7.0.1 + http://www.php.net/releases/7_0_1.php +- curl: add CURL_SSLVERSION_TLSv1_x constant (EL) +- fpm: switch to UDS on Fedora >= 21 + +* Wed Dec 9 2015 Remi Collet <remi@fedoraproject.org> 7.0.1-0.1.RC1 +- Update to 7.0.1RC1 +- drop --disable-huge-code-pages build option on EL-6, + but keep it disabled in default configuration + +* Thu Dec 3 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-2 +- build with --disable-huge-code-pages on EL-6 + +* Tue Dec 1 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-1 +- Update to 7.0.0 + http://www.php.net/releases/7_0_0.php + +* Mon Nov 30 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.26.RC8 +- set opcache.huge_code_pages=0 on EL-6 + see https://bugs.php.net/70973 and https://bugs.php.net/70977 + +* Wed Nov 25 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.25.RC8 +- Update to 7.0.0RC8 +- set opcache.huge_code_pages=1 on x86_64 + +* Thu Nov 12 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.24.RC7 +- Update to 7.0.0RC7 (retagged) + +* Wed Nov 11 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.23.RC7 +- Update to 7.0.0RC7 + +* Wed Oct 28 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.22.RC6 +- Update to 7.0.0RC6 + +* Mon Oct 19 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.21.RC5 +- php-config: reports all built sapis + +* Wed Oct 14 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.20.RC5 +- rebuild as retagged + +* Tue Oct 13 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.19.RC5 +- Update to 7.0.0RC5 +- update php-fpm.d/www.conf comments +- API and Zend API are now set to 20151012 + +* Wed Sep 30 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.18.RC4 +- Update to 7.0.0RC4 +- php-fpm: set http authorization headers + +* Fri Sep 18 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.17.RC3 +- F23 rebuild with rh_layout + +* Wed Sep 16 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.16.RC3 +- Update to 7.0.0RC3 +- disable zip extension (provided in php-pecl-zip) + +* Fri Sep 4 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.15.RC2 +- Update to 7.0.0RC2 +- enable oci8 and pdo_oci extensions +- sync php.ini with upstream php.ini-production + +* Sat Aug 22 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.14.RC1 +- Update to 7.0.0RC1 + +* Wed Aug 5 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.13.beta3 +- Update to 7.0.0beta3 + +* Wed Jul 22 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.12.beta2 +- Update to 7.0.0beta2 +- switch from libvpx to libwebp (only for bundled libgd, not used) + +* Wed Jul 8 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.11.beta1 +- Update to 7.0.0beta1 +- use upstream tarball instead of git snapshot + +* Wed Jun 24 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.10.alpha2 +- Update to 7.0.0alpha2 +- use new layout (/etc/opt, /var/opt) + +* Wed Jun 17 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.9.20150617git3697f02 +- new snapshot + +* Thu Jun 11 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.9.20150611git8cfe282 +- new snapshot +- the phar link is now correctly created + +* Tue Jun 9 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.8.alpha1 +- Update to 7.0.0alpha1 + +* Tue Jun 2 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.7.20150602git8a089e7 +- new snapshot + +* Fri May 29 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.7.20150525git6f46fa3 +- new snapshot +- t1lib support have been removed + +* Mon May 25 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.6.20150525git404360f +- new snapshot + +* Mon May 18 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.6.20150518gitcee8857 +- new snapshot + +* Sat May 16 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.6.20150515gitc9f27ee +- new snapshot + +* Tue Apr 28 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.6.20150507gitdd0b602 +- add experimental file based opcode cache (disabled by default) + +* Tue Apr 28 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.5.20150428git94f0b94 +- new snapshot + +* Mon Apr 27 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.5.20150427git1a4d3e4 +- new snapshot +- adapt system tzdata patch for upstream change for new zic + +* Sat Apr 18 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.5.20150418git1f0a624 +- new snapshot + +* Thu Apr 16 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.5.20150416gitc77d97f +- new snapshot + +* Fri Apr 3 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.5.20150403gitadcf0c6 +- new snapshot + +* Tue Mar 31 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.4.20150331git463ca30 +- rename 10-php70-php.conf to 15-php70-php.conf to + ensure load order (after 10-rh-php56-php.conf) + +* Wed Mar 25 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.3.20150325git2fe6acd +- rebuild + +* Wed Mar 25 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.2.20150325git23336d7 +- fix mod_php configuration +- disable static json +- sync php.ini with upstream php.ini-production + +* Wed Mar 25 2015 Remi Collet <remi@fedoraproject.org> 7.0.0-0.1.20150325git23336d7 +- update for php 7.0.0 +- ereg, mssql, mysql and sybase_ct extensions are removed +- add pdo-dblib subpackage (instead of php-mssql) +- disable oci8 extension, not yet adapted for 7.0 +- add php-zip subpackage +- add php-json subpackage + +* Thu Mar 19 2015 Remi Collet <remi@fedoraproject.org> 5.6.7-1 +- Update to 5.6.7 + http://www.php.net/releases/5_6_7.php + +* Sun Mar 8 2015 Remi Collet <remi@fedoraproject.org> 5.6.7-0.1.RC1 +- update to 5.6.7RC1 + +* Thu Feb 19 2015 Remi Collet <remi@fedoraproject.org> 5.6.6-1 +- Update to 5.6.6 + http://www.php.net/releases/5_6_6.php + +* Wed Jan 21 2015 Remi Collet <remi@fedoraproject.org> 5.6.5-1 +- Update to 5.6.5 + http://www.php.net/releases/5_6_5.php + +* Tue Jan 20 2015 Remi Collet <rcollet@redhat.com> 5.6.5-0.2.RC1 +- fix php-fpm.service.d location + +* Fri Jan 9 2015 Remi Collet <remi@fedoraproject.org> 5.6.5-0.1.RC1 +- update to 5.6.5RC1 +- add base system path in default include path +- FPM: enable ACL for Unix Domain Socket + +* Wed Dec 17 2014 Remi Collet <remi@fedoraproject.org> 5.6.4-2 +- Update to 5.6.4 + http://www.php.net/releases/5_6_4.php +- add sybase_ct extension (in mssql sub-package) +- xmlrpc requires xml + +* Wed Dec 10 2014 Remi Collet <remi@fedoraproject.org> 5.6.4-1 +- Update to 5.6.4 + http://www.php.net/releases/5_6_4.php + +* Thu Nov 27 2014 Remi Collet <remi@fedoraproject.org> 5.6.4-0.1.RC1 +- update to 5.6.4RC1 + +* Wed Nov 26 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-3 +- add embedded sub package +- filter all libraries to avoid provides + +* Sun Nov 16 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-2 +- FPM: add upstream patch for https://bugs.php.net/68421 + access.format=R doesn't log ipv6 address +- FPM: add upstream patch for https://bugs.php.net/68420 + listen=9000 listens to ipv6 localhost instead of all addresses +- FPM: add upstream patch for https://bugs.php.net/68423 + will no longer load all pools + +* Thu Nov 13 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-1 +- Update to PHP 5.6.3 + http://php.net/releases/5_6_3.php + +* Sun Nov 2 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-0.1.RC1 +- update to 5.6.3RC1 +- new version of systzdata patch, fix case sensitivity +- ignore Factory in date tests +- disable opcache.fast_shutdown in default config +- add php56-cgi command in base system + +* Thu Oct 16 2014 Remi Collet <remi@fedoraproject.org> 5.6.2-1 +- Update to PHP 5.6.2 + http://php.net/releases/5_6_2.php + +* Fri Oct 3 2014 Remi Collet <remi@fedoraproject.org> 5.6.1-1 +- Update to PHP 5.6.1 + http://php.net/releases/5_6_1.php +- use default system cipher list by Fedora policy + http://fedoraproject.org/wiki/Changes/CryptoPolicy +- add system php library to default include_path + +* Fri Aug 29 2014 Remi Collet <remi@fedoraproject.org> 5.6.0-1.1 +- enable libvpx on EL 6 (with libvpx 1.3.0) +- add php56-phpdbg command in base system + +* Thu Aug 28 2014 Remi Collet <remi@fedoraproject.org> 5.6.0-1 +- PHP 5.6.0 is GA +- add lsphp56 command in base system + +* Sun Aug 24 2014 Remi Collet <rcollet@redhat.com> - 5.6.0-0.1.RC4 +- initial spec for PHP 5.6 as Software Collection +- adapted from php 5.6 spec file from remi repository +- adapted from php 5.5 spec file from rhscl 1.1 + +* Tue May 13 2014 Remi Collet <rcollet@redhat.com> - 5.5.6-10 +- fileinfo: fix out-of-bounds memory access CVE-2014-2270 +- fileinfo: fix extensive backtracking CVE-2013-7345 + +* Fri Mar 21 2014 Remi Collet <rcollet@redhat.com> - 5.5.6-9 +- gd: fix NULL deref in imagecrop CVE-2013-7327 +- gd: drop vpx support, fix huge memory consumption #1075201 + +* Fri Feb 21 2014 Remi Collet <rcollet@redhat.com> - 5.5.6-8 +- fix patch name +- fix memory leak introduce in patch for CVE-2014-1943 +- fix heap-based buffer over-read in DateInterval CVE-2013-6712 + +* Wed Feb 19 2014 Remi Collet <rcollet@redhat.com> - 5.5.6-7 +- fix infinite recursion in fileinfo CVE-2014-1943 + +* Fri Feb 14 2014 Remi Collet <rcollet@redhat.com> - 5.5.6-6 +- fix heap overflow vulnerability in imagecrop CVE-2013-7226 + +* Tue Feb 4 2014 Remi Collet <rcollet@redhat.com> - 5.5.6-5 +- allow multiple paths in ini_scan_dir #1058161 + +* Fri Dec 6 2013 Remi Collet <rcollet@redhat.com> - 5.5.6-4 +- add security fix for CVE-2013-6420 + +* Tue Nov 19 2013 Remi Collet <rcollet@redhat.com> 5.5.6-2 +- rebuild with test enabled +- add dependency on php-pecl-jsonc + +* Tue Nov 19 2013 Remi Collet <rcollet@redhat.com> 5.5.6-0 +- update to PHP 5.5.6 +- buildstrap build + +* Thu Oct 17 2013 Remi Collet <rcollet@redhat.com> 5.5.5-1 +- update to PHP 5.5.5 +- mod_php only for httpd24 + +* Thu Sep 19 2013 Remi Collet <rcollet@redhat.com> 5.5.4-1 +- update to PHP 5.5.4 +- improve security, use specific soap.wsdl_cache_dir + use /var/lib/php/wsdlcache for mod_php and php-fpm +- sync short_tag comments in php.ini with upstream +- relocate RPM macro + +* Wed Aug 21 2013 Remi Collet <rcollet@redhat.com> 5.5.3-1 +- update to PHP 5.5.3 +- improve system libzip patch +- fix typo and add missing entries in php.ini + +* Fri Aug 2 2013 Remi Collet <rcollet@redhat.com> 5.5.1-1 +- update to PHP 5.5.1 for php55 SCL + +* Mon Jul 29 2013 Remi Collet <rcollet@redhat.com> 5.4.16-6 +- rebuild for new httpd-mmn value + +* Mon Jul 29 2013 Remi Collet <rcollet@redhat.com> 5.4.16-5 +- remove ZTS conditional stuf for ligibility +- add mod_php for apache 2.4 (from httpd24 collection) + +* Thu Jul 18 2013 Remi Collet <rcollet@redhat.com> 5.4.16-4 +- improve mod_php, pgsql and ldap description +- add missing man pages (phar, php-cgi) +- add provides php(pdo-abi) for consistency with php(api) and php(zend-abi) +- use %%__isa_bits instead of %%__isa in ABI suffix #985350 + +* Fri Jul 12 2013 Remi Collet <rcollet@redhat.com> - 5.4.16-3 +- add security fix for CVE-2013-4113 +- add missing ASL 1.0 license + +* Fri Jun 7 2013 Remi Collet <rcollet@redhat.com> 5.4.16-2 +- run tests during build + +* Fri Jun 7 2013 Remi Collet <rcollet@redhat.com> 5.4.16-1 +- rebase to 5.4.16 +- fix hang in FindTishriMolad(), #965144 +- patch for upstream Bug #64915 error_log ignored when daemonize=0 +- patch for upstream Bug #64949 Buffer overflow in _pdo_pgsql_error, #969103 +- patch for upstream bug #64960 Segfault in gc_zval_possible_root + +* Thu May 23 2013 Remi Collet <rcollet@redhat.com> 5.4.14-3 +- remove wrappers in /usr/bin (#966407) + +* Thu Apr 25 2013 Remi Collet <rcollet@redhat.com> 5.4.14-2 +- rebuild for libjpeg (instead of libjpeg_turbo) +- fix unowned dir %%{_datadir}/fpm and %%{_libdir}/httpd (#956221) + +* Thu Apr 11 2013 Remi Collet <rcollet@redhat.com> 5.4.14-1 +- update to 5.4.14 +- clean old deprecated options + +* Wed Mar 13 2013 Remi Collet <rcollet@redhat.com> 5.4.13-1 +- update to 5.4.13 +- security fixes for CVE-2013-1635 and CVE-2013-1643 +- make php-mysql package optional (and disabled) +- make ZTS build optional (and disabled) +- always try to load mod_php (apache warning is usefull) +- Hardened build (links with -z now option) +- Remove %%config from /etc/rpm/macros.php + +* Wed Jan 16 2013 Remi Collet <rcollet@redhat.com> 5.4.11-1 +- update to 5.4.11 +- fix php.conf to allow MultiViews managed by php scripts + +* Wed Dec 19 2012 Remi Collet <rcollet@redhat.com> 5.4.10-1 +- update to 5.4.10 +- remove patches merged upstream +- drop "Configure Command" from phpinfo output +- prevent php_config.h changes across (otherwise identical) + rebuilds + + +* Thu Nov 22 2012 Remi Collet <rcollet@redhat.com> 5.4.9-1 +- update to 5.4.9 + +* Mon Nov 19 2012 Remi Collet <rcollet@redhat.com> 5.4.8-7 +- fix php.conf + +* Mon Nov 19 2012 Remi Collet <rcollet@redhat.com> 5.4.8-6 +- filter private shared in _httpd_modir +- improve system libzip patch to use pkg-config +- use _httpd_contentdir macro and fix php.gif path +- switch back to upstream generated scanner/parser +- use system pcre only when recent enough + +* Fri Nov 16 2012 Remi Collet <rcollet@redhat.com> 5.4.8-5 +- improves php.conf, no need to be relocated + +* Fri Nov 9 2012 Remi Collet <rcollet@redhat.com> 5.4.8-6 +- clarify Licenses +- missing provides xmlreader and xmlwriter +- change php embedded library soname version to 5.4 + +* Mon Nov 5 2012 Remi Collet <rcollet@redhat.com> 5.4.8-4 +- fix mysql_sock macro definition + +* Thu Oct 25 2012 Remi Collet <rcollet@redhat.com> 5.4.8-4 +- fix standard build (non scl) + +* Thu Oct 25 2012 Remi Collet <rcollet@redhat.com> 5.4.8-3 +- fix installed headers + +* Tue Oct 23 2012 Joe Orton <jorton@redhat.com> - 5.4.8-2 +- use libldap_r for ldap extension + +* Tue Oct 23 2012 Remi Collet <rcollet@redhat.com> 5.4.8-3 +- add missing scl_prefix in some provides/requires + +* Tue Oct 23 2012 Remi Collet <rcollet@redhat.com> 5.4.8-2.1 +- make php-enchant optionnal, not available on RHEL-5 +- make php-recode optionnal, not available on RHEL-5 +- disable t1lib on RHEL-5 + +* Tue Oct 23 2012 Remi Collet <rcollet@redhat.com> 5.4.8-2 +- enable tidy on RHEL-6 only +- re-enable unit tests + +* Tue Oct 23 2012 Remi Collet <rcollet@redhat.com> 5.4.8-1.2 +- minor macro fixes for RHEL-5 build +- update autotools workaround for RHEL-5 +- use readline when libedit not available (RHEL-5) + +* Mon Oct 22 2012 Remi Collet <rcollet@redhat.com> 5.4.8-1 +- update to 5.4.8 +- define both session.save_handler and session.save_path +- fix possible segfault in libxml (#828526) +- use SKIP_ONLINE_TEST during make test +- php-devel requires pcre-devel and php-cli (instead of php) +- provides php-phar +- update systzdata patch to v10, timezone are case insensitive + +* Mon Oct 15 2012 Remi Collet <rcollet@redhat.com> 5.4.7-4 +- php-fpm: create apache user if needed +- php-cli: provides cli command in standard root (scl) + +* Fri Oct 12 2012 Remi Collet <rcollet@redhat.com> 5.4.7-3 +- add configtest option to init script +- test configuration before service reload +- fix php-fpm service relocation +- fix php-fpm config relocation +- drop embdded subpackage for scl + +* Wed Oct 3 2012 Remi Collet <rcollet@redhat.com> 5.4.7-2 +- missing requires on scl-runtime +- relocate /var/lib/session +- fix php-devel requires +- rename, but don't relocate macros.php + +* Tue Oct 2 2012 Remi Collet <rcollet@redhat.com> 5.4.7-1 +- initial spec rewrite for scl build + +* Mon Oct 1 2012 Remi Collet <remi@fedoraproject.org> 5.4.7-10 +- fix typo in systemd macro + +* Mon Oct 1 2012 Remi Collet <remi@fedoraproject.org> 5.4.7-9 +- php-fpm: enable PrivateTmp +- php-fpm: new systemd macros (#850268) +- php-fpm: add upstream patch for startup issue (#846858) + +* Fri Sep 28 2012 Remi Collet <rcollet@redhat.com> 5.4.7-8 +- systemd integration, https://bugs.php.net/63085 +- no odbc call during timeout, https://bugs.php.net/63171 +- check sqlite3_column_table_name, https://bugs.php.net/63149 + +* Mon Sep 24 2012 Remi Collet <rcollet@redhat.com> 5.4.7-7 +- most failed tests explained (i386, x86_64) + +* Wed Sep 19 2012 Remi Collet <rcollet@redhat.com> 5.4.7-6 +- fix for http://bugs.php.net/63126 (#783967) + +* Wed Sep 19 2012 Remi Collet <rcollet@redhat.com> 5.4.7-5 +- patch to ensure we use latest libdb (not libdb4) + +* Wed Sep 19 2012 Remi Collet <rcollet@redhat.com> 5.4.7-4 +- really fix rhel tests (use libzip and libdb) + +* Tue Sep 18 2012 Remi Collet <rcollet@redhat.com> 5.4.7-3 +- fix test to enable zip extension on RHEL-7 + +* Mon Sep 17 2012 Remi Collet <remi@fedoraproject.org> 5.4.7-2 +- remove session.save_path from php.ini + move it to apache and php-fpm configuration files + +* Fri Sep 14 2012 Remi Collet <remi@fedoraproject.org> 5.4.7-1 +- update to 5.4.7 + http://www.php.net/releases/5_4_7.php +- php-fpm: don't daemonize + +* Mon Aug 20 2012 Remi Collet <remi@fedoraproject.org> 5.4.6-2 +- enable php-fpm on secondary arch (#849490) + +* Fri Aug 17 2012 Remi Collet <remi@fedoraproject.org> 5.4.6-1 +- update to 5.4.6 +- update to v9 of systzdata patch +- backport fix for new libxml + +* Fri Jul 20 2012 Remi Collet <remi@fedoraproject.org> 5.4.5-1 +- update to 5.4.5 + +* Mon Jul 02 2012 Remi Collet <remi@fedoraproject.org> 5.4.4-4 +- also provide php(language)%%{_isa} +- define %%{php_version} + +* Mon Jul 02 2012 Remi Collet <remi@fedoraproject.org> 5.4.4-3 +- drop BR for libevent (#835671) +- provide php(language) to allow version check + +* Thu Jun 21 2012 Remi Collet <remi@fedoraproject.org> 5.4.4-2 +- add missing provides (core, ereg, filter, standard) + +* Thu Jun 14 2012 Remi Collet <remi@fedoraproject.org> 5.4.4-1 +- update to 5.4.4 (CVE-2012-2143, CVE-2012-2386) +- use /usr/lib/tmpfiles.d instead of /etc/tmpfiles.d +- use /run/php-fpm instead of /var/run/php-fpm + +* Wed May 09 2012 Remi Collet <remi@fedoraproject.org> 5.4.3-1 +- update to 5.4.3 (CVE-2012-2311, CVE-2012-2329) + +* Thu May 03 2012 Remi Collet <remi@fedoraproject.org> 5.4.2-1 +- update to 5.4.2 (CVE-2012-1823) + +* Fri Apr 27 2012 Remi Collet <remi@fedoraproject.org> 5.4.1-1 +- update to 5.4.1 + +* Wed Apr 25 2012 Joe Orton <jorton@redhat.com> - 5.4.0-6 +- rebuild for new icu +- switch (conditionally) to libdb-devel + +* Sat Mar 31 2012 Remi Collet <remi@fedoraproject.org> 5.4.0-5 +- fix Loadmodule with MPM event (use ZTS if not MPM worker) +- split conf.d/php.conf + conf.modules.d/10-php.conf with httpd 2.4 + +* Thu Mar 29 2012 Joe Orton <jorton@redhat.com> - 5.4.0-4 +- rebuild for missing automatic provides (#807889) + +* Mon Mar 26 2012 Joe Orton <jorton@redhat.com> - 5.4.0-3 +- really use _httpd_mmn + +* Mon Mar 26 2012 Joe Orton <jorton@redhat.com> - 5.4.0-2 +- rebuild against httpd 2.4 +- use _httpd_mmn, _httpd_apxs macros + +* Fri Mar 02 2012 Remi Collet <remi@fedoraproject.org> 5.4.0-1 +- update to PHP 5.4.0 finale + +* Sat Feb 18 2012 Remi Collet <remi@fedoraproject.org> 5.4.0-0.4.RC8 +- update to PHP 5.4.0RC8 + +* Sat Feb 04 2012 Remi Collet <remi@fedoraproject.org> 5.4.0-0.3.RC7 +- update to PHP 5.4.0RC7 +- provides env file for php-fpm (#784770) +- add patch to use system libzip (thanks to spot) +- don't provide INSTALL file + +* Wed Jan 25 2012 Remi Collet <remi@fedoraproject.org> 5.4.0-0.2.RC6 +- all binaries in /usr/bin with zts prefix + +* Wed Jan 18 2012 Remi Collet <remi@fedoraproject.org> 5.4.0-0.1.RC6 +- update to PHP 5.4.0RC6 + https://fedoraproject.org/wiki/Features/Php54 + +* Sun Jan 08 2012 Remi Collet <remi@fedoraproject.org> 5.3.8-4.4 +- fix systemd unit + +* Mon Dec 12 2011 Remi Collet <remi@fedoraproject.org> 5.3.8-4.3 +- switch to systemd + +* Tue Dec 06 2011 Adam Jackson <ajax@redhat.com> - 5.3.8-4.2 +- Rebuild for new libpng + +* Wed Oct 26 2011 Marcela Mašláňová <mmaslano@redhat.com> - 5.3.8-3.2 +- rebuild with new gmp without compat lib + +* Wed Oct 12 2011 Peter Schiffer <pschiffe@redhat.com> - 5.3.8-3.1 +- rebuild with new gmp + +* Wed Sep 28 2011 Remi Collet <remi@fedoraproject.org> 5.3.8-3 +- revert is_a() to php <= 5.3.6 behavior (from upstream) + with new option (allow_string) for new behavior + +* Tue Sep 13 2011 Remi Collet <remi@fedoraproject.org> 5.3.8-2 +- add mysqlnd sub-package +- drop patch4, use --libdir to use /usr/lib*/php/build +- add patch to redirect mysql.sock (in mysqlnd) + +* Tue Aug 23 2011 Remi Collet <remi@fedoraproject.org> 5.3.8-1 +- update to 5.3.8 + http://www.php.net/ChangeLog-5.php#5.3.8 + +* Thu Aug 18 2011 Remi Collet <remi@fedoraproject.org> 5.3.7-1 +- update to 5.3.7 + http://www.php.net/ChangeLog-5.php#5.3.7 +- merge php-zts into php (#698084) + +* Tue Jul 12 2011 Joe Orton <jorton@redhat.com> - 5.3.6-4 +- rebuild for net-snmp SONAME bump + +* Mon Apr 4 2011 Remi Collet <Fedora@famillecollet.com> 5.3.6-3 +- enable mhash extension (emulated by hash extension) + +* Wed Mar 23 2011 Remi Collet <Fedora@famillecollet.com> 5.3.6-2 +- rebuild for new MySQL client library + +* Thu Mar 17 2011 Remi Collet <Fedora@famillecollet.com> 5.3.6-1 +- update to 5.3.6 + http://www.php.net/ChangeLog-5.php#5.3.6 +- fix php-pdo arch specific requires + +* Tue Mar 15 2011 Joe Orton <jorton@redhat.com> - 5.3.5-6 +- disable zip extension per "No Bundled Libraries" policy (#551513) + +* Mon Mar 07 2011 Caolán McNamara <caolanm@redhat.com> 5.3.5-5 +- rebuild for icu 4.6 + +* Mon Feb 28 2011 Remi Collet <Fedora@famillecollet.com> 5.3.5-4 +- fix systemd-units requires + +* Thu Feb 24 2011 Remi Collet <Fedora@famillecollet.com> 5.3.5-3 +- add tmpfiles.d configuration for php-fpm +- add Arch specific requires/provides + +* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.3.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Jan 07 2011 Remi Collet <Fedora@famillecollet.com> 5.3.5-1 +- update to 5.3.5 + http://www.php.net/ChangeLog-5.php#5.3.5 +- clean duplicate configure options + +* Tue Dec 28 2010 Remi Collet <rpms@famillecollet.com> 5.3.4-2 +- rebuild against MySQL 5.5.8 +- remove all RPM_SOURCE_DIR + +* Sun Dec 12 2010 Remi Collet <rpms@famillecollet.com> 5.3.4-1.1 +- security patch from upstream for #660517 + +* Sat Dec 11 2010 Remi Collet <Fedora@famillecollet.com> 5.3.4-1 +- update to 5.3.4 + http://www.php.net/ChangeLog-5.php#5.3.4 +- move phpize to php-cli (see #657812) + +* Wed Dec 1 2010 Remi Collet <Fedora@famillecollet.com> 5.3.3-5 +- ghost /var/run/php-fpm (see #656660) +- add filter_setup to not provides extensions as .so + +* Mon Nov 1 2010 Joe Orton <jorton@redhat.com> - 5.3.3-4 +- use mysql_config in libdir directly to avoid biarch build failures + +* Fri Oct 29 2010 Joe Orton <jorton@redhat.com> - 5.3.3-3 +- rebuild for new net-snmp + +* Sun Oct 10 2010 Remi Collet <Fedora@famillecollet.com> 5.3.3-2 +- add php-fpm sub-package + +* Thu Jul 22 2010 Remi Collet <Fedora@famillecollet.com> 5.3.3-1 +- PHP 5.3.3 released + +* Fri Apr 30 2010 Remi Collet <Fedora@famillecollet.com> 5.3.2-3 +- garbage collector upstream patches (#580236) + +* Fri Apr 02 2010 Caolán McNamara <caolanm@redhat.com> 5.3.2-2 +- rebuild for icu 4.4 + +* Sat Mar 06 2010 Remi Collet <Fedora@famillecollet.com> 5.3.2-1 +- PHP 5.3.2 Released! +- remove mime_magic option (now provided by fileinfo, by emu) +- add patch for http://bugs.php.net/50578 +- remove patch for libedit (upstream) +- add runselftest option to allow build without test suite + +* Fri Nov 27 2009 Joe Orton <jorton@redhat.com> - 5.3.1-3 +- update to v7 of systzdata patch + +* Wed Nov 25 2009 Joe Orton <jorton@redhat.com> - 5.3.1-2 +- fix build with autoconf 2.6x + +* Fri Nov 20 2009 Remi Collet <Fedora@famillecollet.com> 5.3.1-1 +- update to 5.3.1 +- remove openssl patch (merged upstream) +- add provides for php-pecl-json +- add prod/devel php.ini in doc + +* Tue Nov 17 2009 Tom "spot" Callaway <tcallawa@redhat.com> - 5.3.0-7 +- use libedit instead of readline to resolve licensing issues + +* Tue Aug 25 2009 Tomas Mraz <tmraz@redhat.com> - 5.3.0-6 +- rebuilt with new openssl + +* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.3.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jul 16 2009 Joe Orton <jorton@redhat.com> 5.3.0-4 +- rediff systzdata patch + +* Thu Jul 16 2009 Joe Orton <jorton@redhat.com> 5.3.0-3 +- update to v6 of systzdata patch; various fixes + +* Tue Jul 14 2009 Joe Orton <jorton@redhat.com> 5.3.0-2 +- update to v5 of systzdata patch; parses zone.tab and extracts + timezone->{country-code,long/lat,comment} mapping table + +* Sun Jul 12 2009 Remi Collet <Fedora@famillecollet.com> 5.3.0-1 +- update to 5.3.0 +- remove ncurses, dbase, mhash extensions +- add enchant, sqlite3, intl, phar, fileinfo extensions +- raise sqlite version to 3.6.0 (for sqlite3, build with --enable-load-extension) +- sync with upstream "production" php.ini + +* Sun Jun 21 2009 Remi Collet <Fedora@famillecollet.com> 5.2.10-1 +- update to 5.2.10 +- add interbase sub-package + +* Sat Feb 28 2009 Remi Collet <Fedora@FamilleCollet.com> - 5.2.9-1 +- update to 5.2.9 + +* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2.8-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Feb 5 2009 Joe Orton <jorton@redhat.com> 5.2.8-9 +- add recode support, -recode subpackage (#106755) +- add -zts subpackage with ZTS-enabled build of httpd SAPI +- adjust php.conf to use -zts SAPI build for worker MPM + +* Wed Feb 4 2009 Joe Orton <jorton@redhat.com> 5.2.8-8 +- fix patch fuzz, renumber patches + +* Wed Feb 4 2009 Joe Orton <jorton@redhat.com> 5.2.8-7 +- drop obsolete configure args +- drop -odbc patch (#483690) + +* Mon Jan 26 2009 Joe Orton <jorton@redhat.com> 5.2.8-5 +- split out sysvshm, sysvsem, sysvmsg, posix into php-process + +* Sun Jan 25 2009 Joe Orton <jorton@redhat.com> 5.2.8-4 +- move wddx to php-xml, build curl shared in -common +- remove BR for expat-devel, bogus configure option + +* Fri Jan 23 2009 Joe Orton <jorton@redhat.com> 5.2.8-3 +- rebuild for new MySQL + +* Sat Dec 13 2008 Remi Collet <Fedora@FamilleCollet.com> 5.2.8-2 +- libtool 2 workaround for phpize (#476004) +- add missing php_embed.h (#457777) + +* Tue Dec 09 2008 Remi Collet <Fedora@FamilleCollet.com> 5.2.8-1 +- update to 5.2.8 + +* Sat Dec 06 2008 Remi Collet <Fedora@FamilleCollet.com> 5.2.7-1.1 +- libtool 2 workaround + +* Fri Dec 05 2008 Remi Collet <Fedora@FamilleCollet.com> 5.2.7-1 +- update to 5.2.7 +- enable pdo_dblib driver in php-mssql + +* Mon Nov 24 2008 Joe Orton <jorton@redhat.com> 5.2.6-7 +- tweak Summary, thanks to Richard Hughes + +* Tue Nov 4 2008 Joe Orton <jorton@redhat.com> 5.2.6-6 +- move gd_README to php-gd +- update to r4 of systzdata patch; introduces a default timezone + name of "System/Localtime", which uses /etc/localtime (#469532) + +* Sat Sep 13 2008 Remi Collet <Fedora@FamilleCollet.com> 5.2.6-5 +- enable XPM support in php-gd +- Fix BR for php-gd + +* Sun Jul 20 2008 Remi Collet <Fedora@FamilleCollet.com> 5.2.6-4 +- enable T1lib support in php-gd + +* Mon Jul 14 2008 Joe Orton <jorton@redhat.com> 5.2.6-3 +- update to 5.2.6 +- sync default php.ini with upstream +- drop extension_dir from default php.ini, rely on hard-coded + default, to make php-common multilib-safe (#455091) +- update to r3 of systzdata patch + +* Thu Apr 24 2008 Joe Orton <jorton@redhat.com> 5.2.5-7 +- split pspell extension out into php-spell (#443857) + +* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 5.2.5-6 +- Autorebuild for GCC 4.3 + +* Fri Jan 11 2008 Joe Orton <jorton@redhat.com> 5.2.5-5 +- ext/date: use system timezone database + +* Fri Dec 28 2007 Joe Orton <jorton@redhat.com> 5.2.5-4 +- rebuild for libc-client bump + +* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 5.2.5-3 +- Rebuild for openssl bump + +* Wed Dec 5 2007 Joe Orton <jorton@redhat.com> 5.2.5-2 +- update to 5.2.5 + +* Mon Oct 15 2007 Joe Orton <jorton@redhat.com> 5.2.4-3 +- correct pcre BR version (#333021) +- restore metaphone fix (#205714) +- add READMEs to php-cli + +* Sun Sep 16 2007 Joe Orton <jorton@redhat.com> 5.2.4-2 +- update to 5.2.4 + +* Sun Sep 2 2007 Joe Orton <jorton@redhat.com> 5.2.3-9 +- rebuild for fixed APR + +* Tue Aug 28 2007 Joe Orton <jorton@redhat.com> 5.2.3-8 +- add ldconfig post/postun for -embedded (Hans de Goede) + +* Fri Aug 10 2007 Hans de Goede <j.w.r.degoede@hhs.nl> 5.2.3-7 +- add php-embedded sub-package + +* Fri Aug 10 2007 Joe Orton <jorton@redhat.com> 5.2.3-6 +- fix build with new glibc +- fix License + +* Mon Jul 16 2007 Joe Orton <jorton@redhat.com> 5.2.3-5 +- define php_extdir in macros.php + +* Mon Jul 2 2007 Joe Orton <jorton@redhat.com> 5.2.3-4 +- obsolete php-dbase + +* Tue Jun 19 2007 Joe Orton <jorton@redhat.com> 5.2.3-3 +- add mcrypt, mhash, tidy, mssql subpackages (Dmitry Butskoy) +- enable dbase extension and package in -common + +* Fri Jun 8 2007 Joe Orton <jorton@redhat.com> 5.2.3-2 +- update to 5.2.3 (thanks to Jeff Sheltren) + +* Wed May 9 2007 Joe Orton <jorton@redhat.com> 5.2.2-4 +- fix php-pdo *_arg_force_ref global symbol abuse (#216125) + +* Tue May 8 2007 Joe Orton <jorton@redhat.com> 5.2.2-3 +- rebuild against uw-imap-devel + +* Fri May 4 2007 Joe Orton <jorton@redhat.com> 5.2.2-2 +- update to 5.2.2 +- synch changes from upstream recommended php.ini + +* Thu Mar 29 2007 Joe Orton <jorton@redhat.com> 5.2.1-5 +- enable SASL support in LDAP extension (#205772) + +* Wed Mar 21 2007 Joe Orton <jorton@redhat.com> 5.2.1-4 +- drop mime_magic extension (deprecated by php-pecl-Fileinfo) + +* Mon Feb 19 2007 Joe Orton <jorton@redhat.com> 5.2.1-3 +- fix regression in str_{i,}replace (from upstream) + +* Thu Feb 15 2007 Joe Orton <jorton@redhat.com> 5.2.1-2 +- update to 5.2.1 +- add Requires(pre) for httpd +- trim %%changelog to versions >= 5.0.0 + +* Thu Feb 8 2007 Joe Orton <jorton@redhat.com> 5.2.0-10 +- bump default memory_limit to 32M (#220821) +- mark config files noreplace again (#174251) +- drop trailing dots from Summary fields +- use standard BuildRoot +- drop libtool15 patch (#226294) + +* Tue Jan 30 2007 Joe Orton <jorton@redhat.com> 5.2.0-9 +- add php(api), php(zend-abi) provides (#221302) +- package /usr/share/php and append to default include_path (#225434) + +* Tue Dec 5 2006 Joe Orton <jorton@redhat.com> 5.2.0-8 +- fix filter.h installation path +- fix php-zend-abi version (Remi Collet, #212804) + +* Tue Nov 28 2006 Joe Orton <jorton@redhat.com> 5.2.0-7 +- rebuild again + +* Tue Nov 28 2006 Joe Orton <jorton@redhat.com> 5.2.0-6 +- rebuild for net-snmp soname bump + +* Mon Nov 27 2006 Joe Orton <jorton@redhat.com> 5.2.0-5 +- build json and zip shared, in -common (Remi Collet, #215966) +- obsolete php-json and php-pecl-zip +- build readline extension into /usr/bin/php* (#210585) +- change module subpackages to require php-common not php (#177821) + +* Wed Nov 15 2006 Joe Orton <jorton@redhat.com> 5.2.0-4 +- provide php-zend-abi (#212804) +- add /etc/rpm/macros.php exporting interface versions +- synch with upstream recommended php.ini + +* Wed Nov 15 2006 Joe Orton <jorton@redhat.com> 5.2.0-3 +- update to 5.2.0 (#213837) +- php-xml provides php-domxml (#215656) +- fix php-pdo-abi provide (#214281) + +* Tue Oct 31 2006 Joseph Orton <jorton@redhat.com> 5.1.6-4 +- rebuild for curl soname bump +- add build fix for curl 7.16 API + +* Wed Oct 4 2006 Joe Orton <jorton@redhat.com> 5.1.6-3 +- from upstream: add safety checks against integer overflow in _ecalloc + +* Tue Aug 29 2006 Joe Orton <jorton@redhat.com> 5.1.6-2 +- update to 5.1.6 (security fixes) +- bump default memory_limit to 16M (#196802) + +* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 5.1.4-8.1 +- rebuild + +* Fri Jun 9 2006 Joe Orton <jorton@redhat.com> 5.1.4-8 +- Provide php-posix (#194583) +- only provide php-pcntl from -cli subpackage +- add missing defattr's (thanks to Matthias Saou) + +* Fri Jun 9 2006 Joe Orton <jorton@redhat.com> 5.1.4-7 +- move Obsoletes for php-openssl to -common (#194501) +- Provide: php-cgi from -cli subpackage + +* Fri Jun 2 2006 Joe Orton <jorton@redhat.com> 5.1.4-6 +- split out php-cli, php-common subpackages (#177821) +- add php-pdo-abi version export (#193202) + +* Wed May 24 2006 Radek Vokal <rvokal@redhat.com> 5.1.4-5.1 +- rebuilt for new libnetsnmp + +* Thu May 18 2006 Joe Orton <jorton@redhat.com> 5.1.4-5 +- provide mod_php (#187891) +- provide php-cli (#192196) +- use correct LDAP fix (#181518) +- define _GNU_SOURCE in php_config.h and leave it defined +- drop (circular) dependency on php-pear + +* Mon May 8 2006 Joe Orton <jorton@redhat.com> 5.1.4-3 +- update to 5.1.4 + +* Wed May 3 2006 Joe Orton <jorton@redhat.com> 5.1.3-3 +- update to 5.1.3 + +* Tue Feb 28 2006 Joe Orton <jorton@redhat.com> 5.1.2-5 +- provide php-api (#183227) +- add provides for all builtin modules (Tim Jackson, #173804) +- own %%{_libdir}/php/pear for PEAR packages (per #176733) +- add obsoletes to allow upgrade from FE4 PDO packages (#181863) + +* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 5.1.2-4.3 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 5.1.2-4.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 31 2006 Joe Orton <jorton@redhat.com> 5.1.2-4 +- rebuild for new libc-client soname + +* Mon Jan 16 2006 Joe Orton <jorton@redhat.com> 5.1.2-3 +- only build xmlreader and xmlwriter shared (#177810) + +* Fri Jan 13 2006 Joe Orton <jorton@redhat.com> 5.1.2-2 +- update to 5.1.2 + +* Thu Jan 5 2006 Joe Orton <jorton@redhat.com> 5.1.1-8 +- rebuild again + +* Mon Jan 2 2006 Joe Orton <jorton@redhat.com> 5.1.1-7 +- rebuild for new net-snmp + +* Mon Dec 12 2005 Joe Orton <jorton@redhat.com> 5.1.1-6 +- enable short_open_tag in default php.ini again (#175381) + +* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com> +- rebuilt + +* Thu Dec 8 2005 Joe Orton <jorton@redhat.com> 5.1.1-5 +- require net-snmp for php-snmp (#174800) + +* Sun Dec 4 2005 Joe Orton <jorton@redhat.com> 5.1.1-4 +- add /usr/share/pear back to hard-coded include_path (#174885) + +* Fri Dec 2 2005 Joe Orton <jorton@redhat.com> 5.1.1-3 +- rebuild for httpd 2.2 + +* Mon Nov 28 2005 Joe Orton <jorton@redhat.com> 5.1.1-2 +- update to 5.1.1 +- remove pear subpackage +- enable pdo extensions (php-pdo subpackage) +- remove non-standard conditional module builds +- enable xmlreader extension + +* Thu Nov 10 2005 Tomas Mraz <tmraz@redhat.com> 5.0.5-6 +- rebuilt against new openssl + +* Mon Nov 7 2005 Joe Orton <jorton@redhat.com> 5.0.5-5 +- pear: update to XML_RPC 1.4.4, XML_Parser 1.2.7, Mail 1.1.9 (#172528) + +* Tue Nov 1 2005 Joe Orton <jorton@redhat.com> 5.0.5-4 +- rebuild for new libnetsnmp + +* Wed Sep 14 2005 Joe Orton <jorton@redhat.com> 5.0.5-3 +- update to 5.0.5 +- add fix for upstream #34435 +- devel: require autoconf, automake (#159283) +- pear: update to HTTP-1.3.6, Mail-1.1.8, Net_SMTP-1.2.7, XML_RPC-1.4.1 +- fix imagettftext et al (upstream, #161001) + +* Thu Jun 16 2005 Joe Orton <jorton@redhat.com> 5.0.4-11 +- ldap: restore ldap_start_tls() function + +* Fri May 6 2005 Joe Orton <jorton@redhat.com> 5.0.4-10 +- disable RPATHs in shared extensions (#156974) + +* Tue May 3 2005 Joe Orton <jorton@redhat.com> 5.0.4-9 +- build simplexml_import_dom even with shared dom (#156434) +- prevent truncation of copied files to ~2Mb (#155916) +- install /usr/bin/php from CLI build alongside CGI +- enable sysvmsg extension (#142988) + +* Mon Apr 25 2005 Joe Orton <jorton@redhat.com> 5.0.4-8 +- prevent build of builtin dba as well as shared extension + +* Wed Apr 13 2005 Joe Orton <jorton@redhat.com> 5.0.4-7 +- split out dba and bcmath extensions into subpackages +- BuildRequire gcc-c++ to avoid AC_PROG_CXX{,CPP} failure (#155221) +- pear: update to DB-1.7.6 +- enable FastCGI support in /usr/bin/php-cgi (#149596) + +* Wed Apr 13 2005 Joe Orton <jorton@redhat.com> 5.0.4-6 +- build /usr/bin/php with the CLI SAPI, and add /usr/bin/php-cgi, + built with the CGI SAPI (thanks to Edward Rudd, #137704) +- add php(1) man page for CLI +- fix more test cases to use -n when invoking php + +* Wed Apr 13 2005 Joe Orton <jorton@redhat.com> 5.0.4-5 +- rebuild for new libpq soname + +* Tue Apr 12 2005 Joe Orton <jorton@redhat.com> 5.0.4-4 +- bundle from PEAR: HTTP, Mail, XML_Parser, Net_Socket, Net_SMTP +- snmp: disable MSHUTDOWN function to prevent error_log noise (#153988) +- mysqli: add fix for crash on x86_64 (Georg Richter, upstream #32282) + +* Mon Apr 11 2005 Joe Orton <jorton@redhat.com> 5.0.4-3 +- build shared objects as PIC (#154195) + +* Mon Apr 4 2005 Joe Orton <jorton@redhat.com> 5.0.4-2 +- fix PEAR installation and bundle PEAR DB-1.7.5 package + +* Fri Apr 1 2005 Joe Orton <jorton@redhat.com> 5.0.4-1 +- update to 5.0.4 (#153068) +- add .phps AddType to php.conf (#152973) +- better gcc4 fix for libxmlrpc + +* Wed Mar 30 2005 Joe Orton <jorton@redhat.com> 5.0.3-5 +- BuildRequire mysql-devel >= 4.1 +- don't mark php.ini as noreplace to make upgrades work (#152171) +- fix subpackage descriptions (#152628) +- fix memset(,,0) in Zend (thanks to Dave Jones) +- fix various compiler warnings in Zend + +* Thu Mar 24 2005 Joe Orton <jorton@redhat.com> 5.0.3-4 +- package mysqli extension in php-mysql +- really enable pcntl (#142903) +- don't build with --enable-safe-mode (#148969) +- use "Instant Client" libraries for oci8 module (Kai Bolay, #149873) + +* Fri Feb 18 2005 Joe Orton <jorton@redhat.com> 5.0.3-3 +- fix build with GCC 4 + +* Wed Feb 9 2005 Joe Orton <jorton@redhat.com> 5.0.3-2 +- install the ext/gd headers (#145891) +- enable pcntl extension in /usr/bin/php (#142903) +- add libmbfl array arithmetic fix (dcb314@hotmail.com, #143795) +- add BuildRequire for recent pcre-devel (#147448) + +* Wed Jan 12 2005 Joe Orton <jorton@redhat.com> 5.0.3-1 +- update to 5.0.3 (thanks to Robert Scheck et al, #143101) +- enable xsl extension (#142174) +- package both the xsl and dom extensions in php-xml +- enable soap extension, shared (php-soap package) (#142901) +- add patches from upstream 5.0 branch: + * Zend_strtod.c compile fixes + * correct php_sprintf return value usage + +* Mon Nov 22 2004 Joe Orton <jorton@redhat.com> 5.0.2-8 +- update for db4-4.3 (Robert Scheck, #140167) +- build against mysql-devel +- run tests in %%check + +* Wed Nov 10 2004 Joe Orton <jorton@redhat.com> 5.0.2-7 +- truncate changelog at 4.3.1-1 +- merge from 4.3.x package: + - enable mime_magic extension and Require: file (#130276) + +* Mon Nov 8 2004 Joe Orton <jorton@redhat.com> 5.0.2-6 +- fix dom/sqlite enable/without confusion + +* Mon Nov 8 2004 Joe Orton <jorton@redhat.com> 5.0.2-5 +- fix phpize installation for lib64 platforms +- add fix for segfault in variable parsing introduced in 5.0.2 + +* Mon Nov 8 2004 Joe Orton <jorton@redhat.com> 5.0.2-4 +- update to 5.0.2 (#127980) +- build against mysqlclient10-devel +- use new RTLD_DEEPBIND to load extension modules +- drop explicit requirement for elfutils-devel +- use AddHandler in default conf.d/php.conf (#135664) +- "fix" round() fudging for recent gcc on x86 +- disable sqlite pending audit of warnings and subpackage split + +* Fri Sep 17 2004 Joe Orton <jorton@redhat.com> 5.0.1-4 +- don't build dom extension into 2.0 SAPI + +* Fri Sep 17 2004 Joe Orton <jorton@redhat.com> 5.0.1-3 +- ExclusiveArch: x86 ppc x86_64 for the moment + +* Fri Sep 17 2004 Joe Orton <jorton@redhat.com> 5.0.1-2 +- fix default extension_dir and conf.d/php.conf + +* Thu Sep 9 2004 Joe Orton <jorton@redhat.com> 5.0.1-1 +- update to 5.0.1 +- only build shared modules once +- put dom extension in php-dom subpackage again +- move extension modules into %%{_libdir}/php/modules +- don't use --with-regex=system, it's ignored for the apache* SAPIs + +* Wed Aug 11 2004 Tom Callaway <tcallawa@redhat.com> +- Merge in some spec file changes from Jeff Stern (jastern@uci.edu) + +* Mon Aug 09 2004 Tom Callaway <tcallawa@redhat.com> +- bump to 5.0.0 +- add patch to prevent clobbering struct re_registers from regex.h +- remove domxml references, replaced with dom now built-in +- fix php.ini to refer to php5 not php4 |