From 2cfde60649a25ed1f40ebab9e7780e8642a616a7 Mon Sep 17 00:00:00 2001 From: Adam Samalik Date: Tue, 16 May 2023 09:29:47 +0200 Subject: [PATCH] import sources --- Makefile | 22 - news2markdown.php | 38 - php-7.3.3-systzdata-v18.patch | 656 ----- php-7.4.0-datetests.patch | 98 - php-7.4.0-libdb.patch | 92 - php-7.4.19-CVE-2021-21703.patch | 396 --- php-7.4.19-CVE-2021-21705.patch | 55 - php-7.4.19.tar.xz.asc | 16 - php-8.0.0-embed.patch | 25 - php-8.0.0-phpinfo.patch | 118 - php-8.0.10-openssl3.patch | 4761 ------------------------------- php-8.0.10-phar-sha.patch | 515 ---- php-8.0.10-snmp-sha.patch | 143 - php-8.0.10-systzdata-v21.patch | 718 ----- php-8.0.13-crypt.patch | 45 - php-8.0.19-parser.patch | 16 - php-8.0.6-deprecated.patch | 400 --- php-keyring.gpg | 729 ++--- php-mbstring.patch | 33 - rpminspect.yaml | 10 - sources | 1 - 21 files changed, 317 insertions(+), 8570 deletions(-) delete mode 100644 Makefile delete mode 100755 news2markdown.php delete mode 100644 php-7.3.3-systzdata-v18.patch delete mode 100644 php-7.4.0-datetests.patch delete mode 100644 php-7.4.0-libdb.patch delete mode 100644 php-7.4.19-CVE-2021-21703.patch delete mode 100644 php-7.4.19-CVE-2021-21705.patch delete mode 100644 php-7.4.19.tar.xz.asc delete mode 100644 php-8.0.0-embed.patch delete mode 100644 php-8.0.0-phpinfo.patch delete mode 100644 php-8.0.10-openssl3.patch delete mode 100644 php-8.0.10-phar-sha.patch delete mode 100644 php-8.0.10-snmp-sha.patch delete mode 100644 php-8.0.10-systzdata-v21.patch delete mode 100644 php-8.0.13-crypt.patch delete mode 100644 php-8.0.19-parser.patch delete mode 100644 php-8.0.6-deprecated.patch delete mode 100644 php-mbstring.patch delete mode 100644 rpminspect.yaml diff --git a/Makefile b/Makefile deleted file mode 100644 index cae2dd8..0000000 --- a/Makefile +++ /dev/null @@ -1,22 +0,0 @@ -# Makefile for source rpm: php -# $Id$ -NAME := php -SPECFILE = $(firstword $(wildcard *.spec)) -UPSTREAM_CHECKS := - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attempt a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/news2markdown.php b/news2markdown.php deleted file mode 100755 index 77303cd..0000000 --- a/news2markdown.php +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/env php - -+#include -+#include -+#include -+#include -+ -+#include "php_scandir.h" -+ -+#else - #define TIMELIB_SUPPORTS_V2DATA - #include "timezonedb.h" -+#endif -+ -+#include - - #if (defined(__APPLE__) || defined(__APPLE_CC__)) && (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__)) - # if defined(__LITTLE_ENDIAN__) -@@ -87,6 +100,11 @@ static int read_php_preamble(const unsig - { - uint32_t version; - -+ if (memcmp(*tzf, "TZif", 4) == 0) { -+ *tzf += 20; -+ return 0; -+ } -+ - /* read ID */ - version = (*tzf)[3] - '0'; - *tzf += 4; -@@ -411,7 +429,429 @@ void timelib_dump_tzinfo(timelib_tzinfo - } - } - --static int seek_to_tz_position(const unsigned char **tzf, char *timezone, const timelib_tzdb *tzdb) -+#ifdef HAVE_SYSTEM_TZDATA -+ -+#ifdef HAVE_SYSTEM_TZDATA_PREFIX -+#define ZONEINFO_PREFIX HAVE_SYSTEM_TZDATA_PREFIX -+#else -+#define ZONEINFO_PREFIX "/usr/share/zoneinfo" -+#endif -+ -+/* System timezone database pointer. */ -+static const timelib_tzdb *timezonedb_system; -+ -+/* Hash table entry for the cache of the zone.tab mapping table. */ -+struct location_info { -+ char code[2]; -+ double latitude, longitude; -+ char name[64]; -+ char *comment; -+ struct location_info *next; -+}; -+ -+/* Cache of zone.tab. */ -+static struct location_info **system_location_table; -+ -+/* Size of the zone.tab hash table; a random-ish prime big enough to -+ * prevent too many collisions. */ -+#define LOCINFO_HASH_SIZE (1021) -+ -+/* Compute a case insensitive hash of str */ -+static uint32_t tz_hash(const char *str) -+{ -+ const unsigned char *p = (const unsigned char *)str; -+ uint32_t hash = 5381; -+ int c; -+ -+ while ((c = tolower(*p++)) != '\0') { -+ hash = (hash << 5) ^ hash ^ c; -+ } -+ -+ return hash % LOCINFO_HASH_SIZE; -+} -+ -+/* Parse an ISO-6709 date as used in zone.tab. Returns end of the -+ * parsed string on success, or NULL on parse error. On success, -+ * writes the parsed number to *result. */ -+static char *parse_iso6709(char *p, double *result) -+{ -+ double v, sign; -+ char *pend; -+ size_t len; -+ -+ if (*p == '+') -+ sign = 1.0; -+ else if (*p == '-') -+ sign = -1.0; -+ else -+ return NULL; -+ -+ p++; -+ for (pend = p; *pend >= '0' && *pend <= '9'; pend++) -+ ;; -+ -+ /* Annoying encoding used by zone.tab has no decimal point, so use -+ * the length to determine the format: -+ * -+ * 4 = DDMM -+ * 5 = DDDMM -+ * 6 = DDMMSS -+ * 7 = DDDMMSS -+ */ -+ len = pend - p; -+ if (len < 4 || len > 7) { -+ return NULL; -+ } -+ -+ /* p => [D]DD */ -+ v = (p[0] - '0') * 10.0 + (p[1] - '0'); -+ p += 2; -+ if (len == 5 || len == 7) -+ v = v * 10.0 + (*p++ - '0'); -+ /* p => MM[SS] */ -+ v += (10.0 * (p[0] - '0') -+ + p[1] - '0') / 60.0; -+ p += 2; -+ /* p => [SS] */ -+ if (len > 5) { -+ v += (10.0 * (p[0] - '0') -+ + p[1] - '0') / 3600.0; -+ p += 2; -+ } -+ -+ /* Round to five decimal place, not because it's a good idea, -+ * but, because the builtin data uses rounded data, so, match -+ * that. */ -+ *result = trunc(v * sign * 100000.0) / 100000.0; -+ -+ return p; -+} -+ -+/* This function parses the zone.tab file to build up the mapping of -+ * timezone to country code and geographic location, and returns a -+ * hash table. The hash table is indexed by the function: -+ * -+ * tz_hash(timezone-name) -+ */ -+static struct location_info **create_location_table(void) -+{ -+ struct location_info **li, *i; -+ char zone_tab[PATH_MAX]; -+ char line[512]; -+ FILE *fp; -+ -+ strncpy(zone_tab, ZONEINFO_PREFIX "/zone.tab", sizeof zone_tab); -+ -+ fp = fopen(zone_tab, "r"); -+ if (!fp) { -+ return NULL; -+ } -+ -+ li = calloc(LOCINFO_HASH_SIZE, sizeof *li); -+ -+ while (fgets(line, sizeof line, fp)) { -+ char *p = line, *code, *name, *comment; -+ uint32_t hash; -+ double latitude, longitude; -+ -+ while (isspace(*p)) -+ p++; -+ -+ if (*p == '#' || *p == '\0' || *p == '\n') -+ continue; -+ -+ if (!isalpha(p[0]) || !isalpha(p[1]) || p[2] != '\t') -+ continue; -+ -+ /* code => AA */ -+ code = p; -+ p[2] = 0; -+ p += 3; -+ -+ /* coords => [+-][D]DDMM[SS][+-][D]DDMM[SS] */ -+ p = parse_iso6709(p, &latitude); -+ if (!p) { -+ continue; -+ } -+ p = parse_iso6709(p, &longitude); -+ if (!p) { -+ continue; -+ } -+ -+ if (!p || *p != '\t') { -+ continue; -+ } -+ -+ /* name = string */ -+ name = ++p; -+ while (*p != '\t' && *p && *p != '\n') -+ p++; -+ -+ *p++ = '\0'; -+ -+ /* comment = string */ -+ comment = p; -+ while (*p != '\t' && *p && *p != '\n') -+ p++; -+ -+ if (*p == '\n' || *p == '\t') -+ *p = '\0'; -+ -+ hash = tz_hash(name); -+ i = malloc(sizeof *i); -+ memcpy(i->code, code, 2); -+ strncpy(i->name, name, sizeof i->name); -+ i->comment = strdup(comment); -+ i->longitude = longitude; -+ i->latitude = latitude; -+ i->next = li[hash]; -+ li[hash] = i; -+ /* printf("%s [%u, %f, %f]\n", name, hash, latitude, longitude); */ -+ } -+ -+ fclose(fp); -+ -+ return li; -+} -+ -+/* Return location info from hash table, using given timezone name. -+ * Returns NULL if the name could not be found. */ -+const struct location_info *find_zone_info(struct location_info **li, -+ const char *name) -+{ -+ uint32_t hash = tz_hash(name); -+ const struct location_info *l; -+ -+ if (!li) { -+ return NULL; -+ } -+ -+ for (l = li[hash]; l; l = l->next) { -+ if (timelib_strcasecmp(l->name, name) == 0) -+ return l; -+ } -+ -+ return NULL; -+} -+ -+/* Filter out some non-tzdata files and the posix/right databases, if -+ * present. */ -+static int index_filter(const struct dirent *ent) -+{ -+ return strcmp(ent->d_name, ".") != 0 -+ && strcmp(ent->d_name, "..") != 0 -+ && strcmp(ent->d_name, "posix") != 0 -+ && strcmp(ent->d_name, "posixrules") != 0 -+ && strcmp(ent->d_name, "right") != 0 -+ && strstr(ent->d_name, ".list") == NULL -+ && strstr(ent->d_name, ".tab") == NULL; -+} -+ -+static int sysdbcmp(const void *first, const void *second) -+{ -+ const timelib_tzdb_index_entry *alpha = first, *beta = second; -+ -+ return timelib_strcasecmp(alpha->id, beta->id); -+} -+ -+ -+/* Create the zone identifier index by trawling the filesystem. */ -+static void create_zone_index(timelib_tzdb *db) -+{ -+ size_t dirstack_size, dirstack_top; -+ size_t index_size, index_next; -+ timelib_tzdb_index_entry *db_index; -+ char **dirstack; -+ -+ /* LIFO stack to hold directory entries to scan; each slot is a -+ * directory name relative to the zoneinfo prefix. */ -+ dirstack_size = 32; -+ dirstack = malloc(dirstack_size * sizeof *dirstack); -+ dirstack_top = 1; -+ dirstack[0] = strdup(""); -+ -+ /* Index array. */ -+ index_size = 64; -+ db_index = malloc(index_size * sizeof *db_index); -+ index_next = 0; -+ -+ do { -+ struct dirent **ents; -+ char name[PATH_MAX], *top; -+ int count; -+ -+ /* Pop the top stack entry, and iterate through its contents. */ -+ top = dirstack[--dirstack_top]; -+ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s", top); -+ -+ count = php_scandir(name, &ents, index_filter, php_alphasort); -+ -+ while (count > 0) { -+ struct stat st; -+ const char *leaf = ents[count - 1]->d_name; -+ -+ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s/%s", -+ top, leaf); -+ -+ if (strlen(name) && stat(name, &st) == 0) { -+ /* Name, relative to the zoneinfo prefix. */ -+ const char *root = top; -+ -+ if (root[0] == '/') root++; -+ -+ snprintf(name, sizeof name, "%s%s%s", root, -+ *root ? "/": "", leaf); -+ -+ if (S_ISDIR(st.st_mode)) { -+ if (dirstack_top == dirstack_size) { -+ dirstack_size *= 2; -+ dirstack = realloc(dirstack, -+ dirstack_size * sizeof *dirstack); -+ } -+ dirstack[dirstack_top++] = strdup(name); -+ } -+ else { -+ if (index_next == index_size) { -+ index_size *= 2; -+ db_index = realloc(db_index, -+ index_size * sizeof *db_index); -+ } -+ -+ db_index[index_next++].id = strdup(name); -+ } -+ } -+ -+ free(ents[--count]); -+ } -+ -+ if (count != -1) free(ents); -+ free(top); -+ } while (dirstack_top); -+ -+ qsort(db_index, index_next, sizeof *db_index, sysdbcmp); -+ -+ db->index = db_index; -+ db->index_size = index_next; -+ -+ free(dirstack); -+} -+ -+#define FAKE_HEADER "1234\0??\1??" -+#define FAKE_UTC_POS (7 - 4) -+ -+/* Create a fake data segment for database 'sysdb'. */ -+static void fake_data_segment(timelib_tzdb *sysdb, -+ struct location_info **info) -+{ -+ size_t n; -+ char *data, *p; -+ -+ data = malloc(3 * sysdb->index_size + 7); -+ -+ p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1); -+ -+ for (n = 0; n < sysdb->index_size; n++) { -+ const struct location_info *li; -+ timelib_tzdb_index_entry *ent; -+ -+ ent = (timelib_tzdb_index_entry *)&sysdb->index[n]; -+ -+ /* Lookup the timezone name in the hash table. */ -+ if (strcmp(ent->id, "UTC") == 0) { -+ ent->pos = FAKE_UTC_POS; -+ continue; -+ } -+ -+ li = find_zone_info(info, ent->id); -+ if (li) { -+ /* If found, append the BC byte and the -+ * country code; set the position for this -+ * section of timezone data. */ -+ ent->pos = (p - data) - 4; -+ *p++ = '\1'; -+ *p++ = li->code[0]; -+ *p++ = li->code[1]; -+ } -+ else { -+ /* If not found, the timezone data can -+ * point at the header. */ -+ ent->pos = 0; -+ } -+ } -+ -+ sysdb->data = (unsigned char *)data; -+} -+ -+/* Returns true if the passed-in stat structure describes a -+ * probably-valid timezone file. */ -+static int is_valid_tzfile(const struct stat *st, int fd) -+{ -+ if (fd) { -+ char buf[20]; -+ if (read(fd, buf, 20)!=20) { -+ return 0; -+ } -+ lseek(fd, SEEK_SET, 0); -+ if (memcmp(buf, "TZif", 4)) { -+ return 0; -+ } -+ } -+ return S_ISREG(st->st_mode) && st->st_size > 20; -+} -+ -+/* To allow timezone names to be used case-insensitively, find the -+ * canonical name for this timezone, if possible. */ -+static const char *canonical_tzname(const char *timezone) -+{ -+ if (timezonedb_system) { -+ timelib_tzdb_index_entry *ent, lookup; -+ -+ lookup.id = (char *)timezone; -+ -+ ent = bsearch(&lookup, timezonedb_system->index, -+ timezonedb_system->index_size, sizeof lookup, -+ sysdbcmp); -+ if (ent) { -+ return ent->id; -+ } -+ } -+ -+ return timezone; -+} -+ -+/* Return the mmap()ed tzfile if found, else NULL. On success, the -+ * length of the mapped data is placed in *length. */ -+static char *map_tzfile(const char *timezone, size_t *length) -+{ -+ char fname[PATH_MAX]; -+ struct stat st; -+ char *p; -+ int fd; -+ -+ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { -+ return NULL; -+ } -+ -+ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); -+ -+ fd = open(fname, O_RDONLY); -+ if (fd == -1) { -+ return NULL; -+ } else if (fstat(fd, &st) != 0 || !is_valid_tzfile(&st, fd)) { -+ close(fd); -+ return NULL; -+ } -+ -+ *length = st.st_size; -+ p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); -+ close(fd); -+ -+ return p != MAP_FAILED ? p : NULL; -+} -+ -+#endif -+ -+static int inmem_seek_to_tz_position(const unsigned char **tzf, char *timezone, const timelib_tzdb *tzdb) - { - int left = 0, right = tzdb->index_size - 1; - -@@ -437,9 +877,48 @@ static int seek_to_tz_position(const uns - return 0; - } - -+static int seek_to_tz_position(const unsigned char **tzf, char *timezone, -+ char **map, size_t *maplen, -+ const timelib_tzdb *tzdb) -+{ -+#ifdef HAVE_SYSTEM_TZDATA -+ if (tzdb == timezonedb_system) { -+ char *orig; -+ -+ orig = map_tzfile(timezone, maplen); -+ if (orig == NULL) { -+ return 0; -+ } -+ -+ (*tzf) = (unsigned char *)orig; -+ *map = orig; -+ return 1; -+ } -+ else -+#endif -+ { -+ return inmem_seek_to_tz_position(tzf, timezone, tzdb); -+ } -+} -+ - const timelib_tzdb *timelib_builtin_db(void) - { -+#ifdef HAVE_SYSTEM_TZDATA -+ if (timezonedb_system == NULL) { -+ timelib_tzdb *tmp = malloc(sizeof *tmp); -+ -+ tmp->version = "0.system"; -+ tmp->data = NULL; -+ create_zone_index(tmp); -+ system_location_table = create_location_table(); -+ fake_data_segment(tmp, system_location_table); -+ timezonedb_system = tmp; -+ } -+ -+ return timezonedb_system; -+#else - return &timezonedb_builtin; -+#endif - } - - const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_tzdb *tzdb, int *count) -@@ -451,7 +930,30 @@ const timelib_tzdb_index_entry *timelib_ - int timelib_timezone_id_is_valid(char *timezone, const timelib_tzdb *tzdb) - { - const unsigned char *tzf; -- return (seek_to_tz_position(&tzf, timezone, tzdb)); -+ -+#ifdef HAVE_SYSTEM_TZDATA -+ if (tzdb == timezonedb_system) { -+ char fname[PATH_MAX]; -+ struct stat st; -+ -+ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { -+ return 0; -+ } -+ -+ if (system_location_table) { -+ if (find_zone_info(system_location_table, timezone) != NULL) { -+ /* found in cache */ -+ return 1; -+ } -+ } -+ -+ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); -+ -+ return stat(fname, &st) == 0 && is_valid_tzfile(&st, 0); -+ } -+#endif -+ -+ return (inmem_seek_to_tz_position(&tzf, timezone, tzdb)); - } - - static int skip_64bit_preamble(const unsigned char **tzf, timelib_tzinfo *tz) -@@ -493,12 +995,14 @@ static timelib_tzinfo* timelib_tzinfo_ct - timelib_tzinfo *timelib_parse_tzfile(char *timezone, const timelib_tzdb *tzdb, int *error_code) - { - const unsigned char *tzf; -+ char *memmap = NULL; -+ size_t maplen; - timelib_tzinfo *tmp; - int version; - int transitions_result, types_result; - unsigned int type; /* TIMELIB_TZINFO_PHP or TIMELIB_TZINFO_ZONEINFO */ - -- if (seek_to_tz_position(&tzf, timezone, tzdb)) { -+ if (seek_to_tz_position(&tzf, timezone, &memmap, &maplen, tzdb)) { - tmp = timelib_tzinfo_ctor(timezone); - - version = read_preamble(&tzf, tmp, &type); -@@ -537,11 +1041,36 @@ timelib_tzinfo *timelib_parse_tzfile(cha - } - skip_posix_string(&tzf, tmp); - -+#ifdef HAVE_SYSTEM_TZDATA -+ if (memmap) { -+ const struct location_info *li; -+ -+ /* TZif-style - grok the location info from the system database, -+ * if possible. */ -+ -+ if ((li = find_zone_info(system_location_table, timezone)) != NULL) { -+ tmp->location.comments = timelib_strdup(li->comment); -+ strncpy(tmp->location.country_code, li->code, 2); -+ tmp->location.longitude = li->longitude; -+ tmp->location.latitude = li->latitude; -+ tmp->bc = 1; -+ } -+ else { -+ set_default_location_and_comments(&tzf, tmp); -+ } -+ -+ /* Now done with the mmap segment - discard it. */ -+ munmap(memmap, maplen); -+ } else { -+#endif - if (type == TIMELIB_TZINFO_PHP) { - read_location(&tzf, tmp); - } else { - set_default_location_and_comments(&tzf, tmp); - } -+#ifdef HAVE_SYSTEM_TZDATA -+ } -+#endif - } else { - *error_code = TIMELIB_ERROR_NO_SUCH_TIMEZONE; - tmp = NULL; diff --git a/php-7.4.0-datetests.patch b/php-7.4.0-datetests.patch deleted file mode 100644 index 8c437e5..0000000 --- a/php-7.4.0-datetests.patch +++ /dev/null @@ -1,98 +0,0 @@ -diff -up ./ext/date/tests/bug33414-2.phpt.datetests ./ext/date/tests/bug33414-2.phpt ---- ./ext/date/tests/bug33414-2.phpt.datetests 2020-04-09 14:06:11.000000000 +0200 -+++ ./ext/date/tests/bug33414-2.phpt 2020-04-09 14:40:00.809433489 +0200 -@@ -74,10 +74,10 @@ $strtotime_tstamp = strtotime("next Frid - print "result=".date("l Y-m-d H:i:s T I", $strtotime_tstamp)."\n"; - print "wanted=Friday 00:00:00\n\n"; - ?> ----EXPECT-- -+--EXPECTF-- - TZ=Pacific/Rarotonga - wrong day. --tStamp=Thursday 1970-01-01 17:17:17 -1030 0 --result=Tuesday 1970-01-06 00:00:00 -1030 0 -+tStamp=Thursday 1970-01-01 17:17:17 %s -+result=Tuesday 1970-01-06 00:00:00 %s - wanted=Tuesday 00:00:00 - - TZ=Atlantic/South_Georgia - wrong day. -@@ -91,13 +91,13 @@ result=Monday 2005-04-04 00:00:00 EDT 1 - wanted=Monday 00:00:00 - - TZ=Pacific/Enderbury - wrong day, off by 2 days. --tStamp=Thursday 1970-01-01 17:17:17 -12 0 --result=Monday 1970-01-05 00:00:00 -12 0 -+tStamp=Thursday 1970-01-01 17:17:17 %s -+result=Monday 1970-01-05 00:00:00 %s - wanted=Monday 00:00:00 - - TZ=Pacific/Kiritimati - wrong day, off by 2 days. --tStamp=Thursday 1970-01-01 17:17:17 -1040 0 --result=Monday 1970-01-05 00:00:00 -1040 0 -+tStamp=Thursday 1970-01-01 17:17:17 %s -+result=Monday 1970-01-05 00:00:00 %s - wanted=Monday 00:00:00 - - TZ=America/Managua - wrong day. -@@ -106,13 +106,13 @@ result=Tuesday 2005-04-12 00:00:00 CDT 1 - wanted=Tuesday 00:00:00 - - TZ=Pacific/Pitcairn - wrong day. --tStamp=Thursday 1970-01-01 17:17:17 -0830 0 --result=Wednesday 1970-01-07 00:00:00 -0830 0 -+tStamp=Thursday 1970-01-01 17:17:17 %s -+result=Wednesday 1970-01-07 00:00:00 %s - wanted=Wednesday 00:00:00 - - TZ=Pacific/Fakaofo - wrong day. --tStamp=Thursday 1970-01-01 17:17:17 -11 0 --result=Saturday 1970-01-03 00:00:00 -11 0 -+tStamp=Thursday 1970-01-01 17:17:17 %s -+result=Saturday 1970-01-03 00:00:00 %s - wanted=Saturday 00:00:00 - - TZ=Pacific/Johnston - wrong day. -diff -up ./ext/date/tests/bug66985.phpt.datetests ./ext/date/tests/bug66985.phpt ---- ./ext/date/tests/bug66985.phpt.datetests 2020-04-09 14:06:11.000000000 +0200 -+++ ./ext/date/tests/bug66985.phpt 2020-04-09 14:40:37.099288185 +0200 -@@ -3,7 +3,7 @@ Bug #66985 (Some timezones are no longer - --FILE-- - 3 -- [timezone] => Factory --) --DateTimeZone Object --( - [timezone_type] => 3 - [timezone] => GB-Eire - ) -diff -up ./ext/date/tests/strtotime3-64bit.phpt.datetests ./ext/date/tests/strtotime3-64bit.phpt ---- ./ext/date/tests/strtotime3-64bit.phpt.datetests 2020-04-09 14:06:11.000000000 +0200 -+++ ./ext/date/tests/strtotime3-64bit.phpt 2020-04-09 14:40:00.809433489 +0200 -@@ -44,7 +44,7 @@ foreach ($strs as $str) { - } - - ?> ----EXPECT-- -+--EXPECTF-- - bool(false) - bool(false) - string(31) "Thu, 15 Jun 2006 00:00:00 +0100" -@@ -53,7 +53,7 @@ bool(false) - string(31) "Fri, 16 Jun 2006 23:49:12 +0100" - bool(false) - string(31) "Fri, 16 Jun 2006 02:22:00 +0100" --string(31) "Sun, 16 Jun 0222 02:22:00 -0036" -+string(31) "Sun, 16 Jun 0222 02:22:00 %s" - string(31) "Fri, 16 Jun 2006 02:22:33 +0100" - bool(false) - string(31) "Tue, 02 Mar 2004 00:00:00 +0000" diff --git a/php-7.4.0-libdb.patch b/php-7.4.0-libdb.patch deleted file mode 100644 index d7c6289..0000000 --- a/php-7.4.0-libdb.patch +++ /dev/null @@ -1,92 +0,0 @@ -diff -up ./ext/dba/config.m4.libdb ./ext/dba/config.m4 ---- ./ext/dba/config.m4.libdb 2020-04-09 14:06:11.000000000 +0200 -+++ ./ext/dba/config.m4 2020-04-09 14:35:08.208605065 +0200 -@@ -375,61 +375,13 @@ if test "$PHP_DB4" != "no"; then - dbdp4="/usr/local/BerkeleyDB.4." - dbdp5="/usr/local/BerkeleyDB.5." - for i in $PHP_DB4 ${dbdp5}1 ${dbdp5}0 ${dbdp4}8 ${dbdp4}7 ${dbdp4}6 ${dbdp4}5 ${dbdp4}4 ${dbdp4}3 ${dbdp4}2 ${dbdp4}1 ${dbdp}0 /usr/local /usr; do -- if test -f "$i/db5/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/db5/db.h -- break -- elif test -f "$i/db4/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/db4/db.h -- break -- elif test -f "$i/include/db5.3/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db5.3/db.h -- break -- elif test -f "$i/include/db5.1/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db5.1/db.h -- break -- elif test -f "$i/include/db5.0/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db5.0/db.h -- break -- elif test -f "$i/include/db4.8/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db4.8/db.h -- break -- elif test -f "$i/include/db4.7/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db4.7/db.h -- break -- elif test -f "$i/include/db4.6/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db4.6/db.h -- break -- elif test -f "$i/include/db4.5/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db4.5/db.h -- break -- elif test -f "$i/include/db4/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db4/db.h -- break -- elif test -f "$i/include/db/db4.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db/db4.h -- break -- elif test -f "$i/include/db4.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db4.h -- break -- elif test -f "$i/include/db.h"; then -+ if test -f "$i/include/db.h"; then - THIS_PREFIX=$i - THIS_INCLUDE=$i/include/db.h - break - fi - done -- PHP_DBA_DB_CHECK(4, db-5.3 db-5.1 db-5.0 db-4.8 db-4.7 db-4.6 db-4.5 db-4.4 db-4.3 db-4.2 db-4.1 db-4.0 db-4 db4 db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)]) -+ PHP_DBA_DB_CHECK(4, db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)]) - fi - PHP_DBA_STD_RESULT(db4,Berkeley DB4) - -diff -up ./ext/dba/dba.c.libdb ./ext/dba/dba.c ---- ./ext/dba/dba.c.libdb 2020-04-09 14:06:11.000000000 +0200 -+++ ./ext/dba/dba.c 2020-04-09 14:36:30.593275190 +0200 -@@ -50,6 +50,10 @@ - #include "php_lmdb.h" - #include "dba_arginfo.h" - -+#ifdef DB4_INCLUDE_FILE -+#include DB4_INCLUDE_FILE -+#endif -+ - PHP_MINIT_FUNCTION(dba); - PHP_MSHUTDOWN_FUNCTION(dba); - PHP_MINFO_FUNCTION(dba); -@@ -459,6 +463,10 @@ PHP_MINFO_FUNCTION(dba) - - php_info_print_table_start(); - php_info_print_table_row(2, "DBA support", "enabled"); -+#ifdef DB_VERSION_STRING -+ php_info_print_table_row(2, "libdb header version", DB_VERSION_STRING); -+ php_info_print_table_row(2, "libdb library version", db_version(NULL, NULL, NULL)); -+#endif - if (handlers.s) { - smart_str_0(&handlers); - php_info_print_table_row(2, "Supported handlers", ZSTR_VAL(handlers.s)); diff --git a/php-7.4.19-CVE-2021-21703.patch b/php-7.4.19-CVE-2021-21703.patch deleted file mode 100644 index 0cf437d..0000000 --- a/php-7.4.19-CVE-2021-21703.patch +++ /dev/null @@ -1,396 +0,0 @@ -From 81bf9b1a9f6def4a6f742a6b41ddc92005ab638f Mon Sep 17 00:00:00 2001 -From: Jakub Zelenka -Date: Sat, 2 Oct 2021 22:53:41 +0100 -Subject: [PATCH] Fix bug #81026 (PHP-FPM oob R/W in root process leading to - priv escalation) - -The main change is to store scoreboard procs directly to the variable sized -array rather than indirectly through the pointer. - -Signed-off-by: Stanislav Malyshev ---- - sapi/fpm/fpm/fpm_children.c | 14 ++--- - sapi/fpm/fpm/fpm_request.c | 4 +- - sapi/fpm/fpm/fpm_scoreboard.c | 106 ++++++++++++++++++++------------- - sapi/fpm/fpm/fpm_scoreboard.h | 11 ++-- - sapi/fpm/fpm/fpm_status.c | 4 +- - sapi/fpm/fpm/fpm_worker_pool.c | 2 +- - 6 files changed, 81 insertions(+), 60 deletions(-) - -diff --git a/sapi/fpm/fpm/fpm_children.c b/sapi/fpm/fpm/fpm_children.c -index fd121372f37c..912f77c11aa7 100644 ---- a/sapi/fpm/fpm/fpm_children.c -+++ b/sapi/fpm/fpm/fpm_children.c -@@ -246,7 +246,7 @@ void fpm_children_bury() /* {{{ */ - - fpm_child_unlink(child); - -- fpm_scoreboard_proc_free(wp->scoreboard, child->scoreboard_i); -+ fpm_scoreboard_proc_free(child); - - fpm_clock_get(&tv1); - -@@ -256,9 +256,9 @@ void fpm_children_bury() /* {{{ */ - if (!fpm_pctl_can_spawn_children()) { - severity = ZLOG_DEBUG; - } -- zlog(severity, "[pool %s] child %d exited %s after %ld.%06d seconds from start", child->wp->config->name, (int) pid, buf, tv2.tv_sec, (int) tv2.tv_usec); -+ zlog(severity, "[pool %s] child %d exited %s after %ld.%06d seconds from start", wp->config->name, (int) pid, buf, tv2.tv_sec, (int) tv2.tv_usec); - } else { -- zlog(ZLOG_DEBUG, "[pool %s] child %d has been killed by the process management after %ld.%06d seconds from start", child->wp->config->name, (int) pid, tv2.tv_sec, (int) tv2.tv_usec); -+ zlog(ZLOG_DEBUG, "[pool %s] child %d has been killed by the process management after %ld.%06d seconds from start", wp->config->name, (int) pid, tv2.tv_sec, (int) tv2.tv_usec); - } - - fpm_child_close(child, 1 /* in event_loop */); -@@ -324,7 +324,7 @@ static struct fpm_child_s *fpm_resources_prepare(struct fpm_worker_pool_s *wp) / - return 0; - } - -- if (0 > fpm_scoreboard_proc_alloc(wp->scoreboard, &c->scoreboard_i)) { -+ if (0 > fpm_scoreboard_proc_alloc(c)) { - fpm_stdio_discard_pipes(c); - fpm_child_free(c); - return 0; -@@ -336,7 +336,7 @@ static struct fpm_child_s *fpm_resources_prepare(struct fpm_worker_pool_s *wp) / - - static void fpm_resources_discard(struct fpm_child_s *child) /* {{{ */ - { -- fpm_scoreboard_proc_free(child->wp->scoreboard, child->scoreboard_i); -+ fpm_scoreboard_proc_free(child); - fpm_stdio_discard_pipes(child); - fpm_child_free(child); - } -@@ -349,10 +349,10 @@ static void fpm_child_resources_use(struct fpm_child_s *child) /* {{{ */ - if (wp == child->wp) { - continue; - } -- fpm_scoreboard_free(wp->scoreboard); -+ fpm_scoreboard_free(wp); - } - -- fpm_scoreboard_child_use(child->wp->scoreboard, child->scoreboard_i, getpid()); -+ fpm_scoreboard_child_use(child, getpid()); - fpm_stdio_child_use_pipes(child); - fpm_child_free(child); - } -diff --git a/sapi/fpm/fpm/fpm_request.c b/sapi/fpm/fpm/fpm_request.c -index c80aa144628f..0a6f6a7cfbf0 100644 ---- a/sapi/fpm/fpm/fpm_request.c -+++ b/sapi/fpm/fpm/fpm_request.c -@@ -285,7 +285,7 @@ int fpm_request_is_idle(struct fpm_child_s *child) /* {{{ */ - struct fpm_scoreboard_proc_s *proc; - - /* no need in atomicity here */ -- proc = fpm_scoreboard_proc_get(child->wp->scoreboard, child->scoreboard_i); -+ proc = fpm_scoreboard_proc_get_from_child(child); - if (!proc) { - return 0; - } -@@ -300,7 +300,7 @@ int fpm_request_last_activity(struct fpm_child_s *child, struct timeval *tv) /* - - if (!tv) return -1; - -- proc = fpm_scoreboard_proc_get(child->wp->scoreboard, child->scoreboard_i); -+ proc = fpm_scoreboard_proc_get_from_child(child); - if (!proc) { - return -1; - } -diff --git a/sapi/fpm/fpm/fpm_scoreboard.c b/sapi/fpm/fpm/fpm_scoreboard.c -index 328f999f0c9b..7e9da4d6848a 100644 ---- a/sapi/fpm/fpm/fpm_scoreboard.c -+++ b/sapi/fpm/fpm/fpm_scoreboard.c -@@ -6,6 +6,7 @@ - #include - - #include "fpm_config.h" -+#include "fpm_children.h" - #include "fpm_scoreboard.h" - #include "fpm_shm.h" - #include "fpm_sockets.h" -@@ -23,7 +24,6 @@ static float fpm_scoreboard_tick; - int fpm_scoreboard_init_main() /* {{{ */ - { - struct fpm_worker_pool_s *wp; -- unsigned int i; - - #ifdef HAVE_TIMES - #if (defined(HAVE_SYSCONF) && defined(_SC_CLK_TCK)) -@@ -40,7 +40,7 @@ int fpm_scoreboard_init_main() /* {{{ */ - - - for (wp = fpm_worker_all_pools; wp; wp = wp->next) { -- size_t scoreboard_size, scoreboard_nprocs_size; -+ size_t scoreboard_procs_size; - void *shm_mem; - - if (wp->config->pm_max_children < 1) { -@@ -53,22 +53,15 @@ int fpm_scoreboard_init_main() /* {{{ */ - return -1; - } - -- scoreboard_size = sizeof(struct fpm_scoreboard_s) + (wp->config->pm_max_children) * sizeof(struct fpm_scoreboard_proc_s *); -- scoreboard_nprocs_size = sizeof(struct fpm_scoreboard_proc_s) * wp->config->pm_max_children; -- shm_mem = fpm_shm_alloc(scoreboard_size + scoreboard_nprocs_size); -+ scoreboard_procs_size = sizeof(struct fpm_scoreboard_proc_s) * wp->config->pm_max_children; -+ shm_mem = fpm_shm_alloc(sizeof(struct fpm_scoreboard_s) + scoreboard_procs_size); - - if (!shm_mem) { - return -1; - } -- wp->scoreboard = shm_mem; -+ wp->scoreboard = shm_mem; -+ wp->scoreboard->pm = wp->config->pm; - wp->scoreboard->nprocs = wp->config->pm_max_children; -- shm_mem += scoreboard_size; -- -- for (i = 0; i < wp->scoreboard->nprocs; i++, shm_mem += sizeof(struct fpm_scoreboard_proc_s)) { -- wp->scoreboard->procs[i] = shm_mem; -- } -- -- wp->scoreboard->pm = wp->config->pm; - wp->scoreboard->start_epoch = time(NULL); - strlcpy(wp->scoreboard->pool, wp->config->name, sizeof(wp->scoreboard->pool)); - } -@@ -162,28 +155,48 @@ struct fpm_scoreboard_s *fpm_scoreboard_get() /* {{{*/ - } - /* }}} */ - --struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get(struct fpm_scoreboard_s *scoreboard, int child_index) /* {{{*/ -+static inline struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get_ex( -+ struct fpm_scoreboard_s *scoreboard, int child_index, unsigned int nprocs) /* {{{*/ - { - if (!scoreboard) { -- scoreboard = fpm_scoreboard; -+ return NULL; - } - -- if (!scoreboard) { -+ if (child_index < 0 || (unsigned int)child_index >= nprocs) { - return NULL; - } - -+ return &scoreboard->procs[child_index]; -+} -+/* }}} */ -+ -+struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get( -+ struct fpm_scoreboard_s *scoreboard, int child_index) /* {{{*/ -+{ -+ if (!scoreboard) { -+ scoreboard = fpm_scoreboard; -+ } -+ - if (child_index < 0) { - child_index = fpm_scoreboard_i; - } - -- if (child_index < 0 || (unsigned int)child_index >= scoreboard->nprocs) { -- return NULL; -- } -+ return fpm_scoreboard_proc_get_ex(scoreboard, child_index, scoreboard->nprocs); -+} -+/* }}} */ - -- return scoreboard->procs[child_index]; -+struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get_from_child(struct fpm_child_s *child) /* {{{*/ -+{ -+ struct fpm_worker_pool_s *wp = child->wp; -+ unsigned int nprocs = wp->config->pm_max_children; -+ struct fpm_scoreboard_s *scoreboard = wp->scoreboard; -+ int child_index = child->scoreboard_i; -+ -+ return fpm_scoreboard_proc_get_ex(scoreboard, child_index, nprocs); - } - /* }}} */ - -+ - struct fpm_scoreboard_s *fpm_scoreboard_acquire(struct fpm_scoreboard_s *scoreboard, int nohang) /* {{{ */ - { - struct fpm_scoreboard_s *s; -@@ -234,28 +247,28 @@ void fpm_scoreboard_proc_release(struct fpm_scoreboard_proc_s *proc) /* {{{ */ - proc->lock = 0; - } - --void fpm_scoreboard_free(struct fpm_scoreboard_s *scoreboard) /* {{{ */ -+void fpm_scoreboard_free(struct fpm_worker_pool_s *wp) /* {{{ */ - { -- size_t scoreboard_size, scoreboard_nprocs_size; -+ size_t scoreboard_procs_size; -+ struct fpm_scoreboard_s *scoreboard = wp->scoreboard; - - if (!scoreboard) { - zlog(ZLOG_ERROR, "**scoreboard is NULL"); - return; - } - -- scoreboard_size = sizeof(struct fpm_scoreboard_s) + (scoreboard->nprocs) * sizeof(struct fpm_scoreboard_proc_s *); -- scoreboard_nprocs_size = sizeof(struct fpm_scoreboard_proc_s) * scoreboard->nprocs; -+ scoreboard_procs_size = sizeof(struct fpm_scoreboard_proc_s) * wp->config->pm_max_children; - -- fpm_shm_free(scoreboard, scoreboard_size + scoreboard_nprocs_size); -+ fpm_shm_free(scoreboard, sizeof(struct fpm_scoreboard_s) + scoreboard_procs_size); - } - /* }}} */ - --void fpm_scoreboard_child_use(struct fpm_scoreboard_s *scoreboard, int child_index, pid_t pid) /* {{{ */ -+void fpm_scoreboard_child_use(struct fpm_child_s *child, pid_t pid) /* {{{ */ - { - struct fpm_scoreboard_proc_s *proc; -- fpm_scoreboard = scoreboard; -- fpm_scoreboard_i = child_index; -- proc = fpm_scoreboard_proc_get(scoreboard, child_index); -+ fpm_scoreboard = child->wp->scoreboard; -+ fpm_scoreboard_i = child->scoreboard_i; -+ proc = fpm_scoreboard_proc_get_from_child(child); - if (!proc) { - return; - } -@@ -264,18 +277,22 @@ void fpm_scoreboard_child_use(struct fpm_scoreboard_s *scoreboard, int child_ind - } - /* }}} */ - --void fpm_scoreboard_proc_free(struct fpm_scoreboard_s *scoreboard, int child_index) /* {{{ */ -+void fpm_scoreboard_proc_free(struct fpm_child_s *child) /* {{{ */ - { -+ struct fpm_worker_pool_s *wp = child->wp; -+ struct fpm_scoreboard_s *scoreboard = wp->scoreboard; -+ int child_index = child->scoreboard_i; -+ - if (!scoreboard) { - return; - } - -- if (child_index < 0 || (unsigned int)child_index >= scoreboard->nprocs) { -+ if (child_index < 0 || child_index >= wp->config->pm_max_children) { - return; - } - -- if (scoreboard->procs[child_index] && scoreboard->procs[child_index]->used > 0) { -- memset(scoreboard->procs[child_index], 0, sizeof(struct fpm_scoreboard_proc_s)); -+ if (scoreboard->procs[child_index].used > 0) { -+ memset(&scoreboard->procs[child_index], 0, sizeof(struct fpm_scoreboard_proc_s)); - } - - /* set this slot as free to avoid search on next alloc */ -@@ -283,41 +300,44 @@ void fpm_scoreboard_proc_free(struct fpm_scoreboard_s *scoreboard, int child_ind - } - /* }}} */ - --int fpm_scoreboard_proc_alloc(struct fpm_scoreboard_s *scoreboard, int *child_index) /* {{{ */ -+int fpm_scoreboard_proc_alloc(struct fpm_child_s *child) /* {{{ */ - { - int i = -1; -+ struct fpm_worker_pool_s *wp = child->wp; -+ struct fpm_scoreboard_s *scoreboard = wp->scoreboard; -+ int nprocs = wp->config->pm_max_children; - -- if (!scoreboard || !child_index) { -+ if (!scoreboard) { - return -1; - } - - /* first try the slot which is supposed to be free */ -- if (scoreboard->free_proc >= 0 && (unsigned int)scoreboard->free_proc < scoreboard->nprocs) { -- if (scoreboard->procs[scoreboard->free_proc] && !scoreboard->procs[scoreboard->free_proc]->used) { -+ if (scoreboard->free_proc >= 0 && scoreboard->free_proc < nprocs) { -+ if (!scoreboard->procs[scoreboard->free_proc].used) { - i = scoreboard->free_proc; - } - } - - if (i < 0) { /* the supposed free slot is not, let's search for a free slot */ - zlog(ZLOG_DEBUG, "[pool %s] the proc->free_slot was not free. Let's search", scoreboard->pool); -- for (i = 0; i < (int)scoreboard->nprocs; i++) { -- if (scoreboard->procs[i] && !scoreboard->procs[i]->used) { /* found */ -+ for (i = 0; i < nprocs; i++) { -+ if (!scoreboard->procs[i].used) { /* found */ - break; - } - } - } - - /* no free slot */ -- if (i < 0 || i >= (int)scoreboard->nprocs) { -+ if (i < 0 || i >= nprocs) { - zlog(ZLOG_ERROR, "[pool %s] no free scoreboard slot", scoreboard->pool); - return -1; - } - -- scoreboard->procs[i]->used = 1; -- *child_index = i; -+ scoreboard->procs[i].used = 1; -+ child->scoreboard_i = i; - - /* supposed next slot is free */ -- if (i + 1 >= (int)scoreboard->nprocs) { -+ if (i + 1 >= nprocs) { - scoreboard->free_proc = 0; - } else { - scoreboard->free_proc = i + 1; -diff --git a/sapi/fpm/fpm/fpm_scoreboard.h b/sapi/fpm/fpm/fpm_scoreboard.h -index 1fecde1d0feb..9d5981e1c739 100644 ---- a/sapi/fpm/fpm/fpm_scoreboard.h -+++ b/sapi/fpm/fpm/fpm_scoreboard.h -@@ -63,7 +63,7 @@ struct fpm_scoreboard_s { - unsigned int nprocs; - int free_proc; - unsigned long int slow_rq; -- struct fpm_scoreboard_proc_s *procs[]; -+ struct fpm_scoreboard_proc_s procs[]; - }; - - int fpm_scoreboard_init_main(); -@@ -72,18 +72,19 @@ int fpm_scoreboard_init_child(struct fpm_worker_pool_s *wp); - void fpm_scoreboard_update(int idle, int active, int lq, int lq_len, int requests, int max_children_reached, int slow_rq, int action, struct fpm_scoreboard_s *scoreboard); - struct fpm_scoreboard_s *fpm_scoreboard_get(); - struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get(struct fpm_scoreboard_s *scoreboard, int child_index); -+struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get_from_child(struct fpm_child_s *child); - - struct fpm_scoreboard_s *fpm_scoreboard_acquire(struct fpm_scoreboard_s *scoreboard, int nohang); - void fpm_scoreboard_release(struct fpm_scoreboard_s *scoreboard); - struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_acquire(struct fpm_scoreboard_s *scoreboard, int child_index, int nohang); - void fpm_scoreboard_proc_release(struct fpm_scoreboard_proc_s *proc); - --void fpm_scoreboard_free(struct fpm_scoreboard_s *scoreboard); -+void fpm_scoreboard_free(struct fpm_worker_pool_s *wp); - --void fpm_scoreboard_child_use(struct fpm_scoreboard_s *scoreboard, int child_index, pid_t pid); -+void fpm_scoreboard_child_use(struct fpm_child_s *child, pid_t pid); - --void fpm_scoreboard_proc_free(struct fpm_scoreboard_s *scoreboard, int child_index); --int fpm_scoreboard_proc_alloc(struct fpm_scoreboard_s *scoreboard, int *child_index); -+void fpm_scoreboard_proc_free(struct fpm_child_s *child); -+int fpm_scoreboard_proc_alloc(struct fpm_child_s *child); - - #ifdef HAVE_TIMES - float fpm_scoreboard_get_tick(); -diff --git a/sapi/fpm/fpm/fpm_status.c b/sapi/fpm/fpm/fpm_status.c -index 36d224063583..de8db9d61a25 100644 ---- a/sapi/fpm/fpm/fpm_status.c -+++ b/sapi/fpm/fpm/fpm_status.c -@@ -498,10 +498,10 @@ int fpm_status_handle_request(void) /* {{{ */ - - first = 1; - for (i=0; inprocs; i++) { -- if (!scoreboard_p->procs[i] || !scoreboard_p->procs[i]->used) { -+ if (!scoreboard_p->procs[i].used) { - continue; - } -- proc = *scoreboard_p->procs[i]; -+ proc = scoreboard_p->procs[i]; - - if (first) { - first = 0; -diff --git a/sapi/fpm/fpm/fpm_worker_pool.c b/sapi/fpm/fpm/fpm_worker_pool.c -index d04528f4e0d0..65a9b226b1ae 100644 ---- a/sapi/fpm/fpm/fpm_worker_pool.c -+++ b/sapi/fpm/fpm/fpm_worker_pool.c -@@ -54,7 +54,7 @@ static void fpm_worker_pool_cleanup(int which, void *arg) /* {{{ */ - fpm_worker_pool_config_free(wp->config); - fpm_children_free(wp->children); - if ((which & FPM_CLEANUP_CHILD) == 0 && fpm_globals.parent_pid == getpid()) { -- fpm_scoreboard_free(wp->scoreboard); -+ fpm_scoreboard_free(wp); - } - fpm_worker_pool_free(wp); - } diff --git a/php-7.4.19-CVE-2021-21705.patch b/php-7.4.19-CVE-2021-21705.patch deleted file mode 100644 index c1c65ec..0000000 --- a/php-7.4.19-CVE-2021-21705.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 5cea97e083448aaa2352320612541c895178b3b5 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Mon, 14 Jun 2021 13:22:27 +0200 -Subject: [PATCH] Fix #81122: SSRF bypass in FILTER_VALIDATE_URL - -We need to ensure that the password detected by parse_url() is actually -a valid password; we can re-use is_userinfo_valid() for that. ---- - ext/filter/logical_filters.c | 4 +++- - ext/filter/tests/bug81122.phpt | 21 +++++++++++++++++++++ - 2 files changed, 24 insertions(+), 1 deletion(-) - create mode 100644 ext/filter/tests/bug81122.phpt - -diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c -index ba2e7e527e76..721da45d532d 100644 ---- a/ext/filter/logical_filters.c -+++ b/ext/filter/logical_filters.c -@@ -632,7 +632,9 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ - RETURN_VALIDATION_FAILED - } - -- if (url->user != NULL && !is_userinfo_valid(url->user)) { -+ if (url->user != NULL && !is_userinfo_valid(url->user) -+ || url->pass != NULL && !is_userinfo_valid(url->pass) -+ ) { - php_url_free(url); - RETURN_VALIDATION_FAILED - -diff --git a/ext/filter/tests/bug81122.phpt b/ext/filter/tests/bug81122.phpt -new file mode 100644 -index 000000000000..d89d4114a547 ---- /dev/null -+++ b/ext/filter/tests/bug81122.phpt -@@ -0,0 +1,21 @@ -+--TEST-- -+Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL) -+--SKIPIF-- -+ -+--FILE-- -+ -+--EXPECT-- -+bool(false) -+bool(false) -+bool(false) diff --git a/php-7.4.19.tar.xz.asc b/php-7.4.19.tar.xz.asc deleted file mode 100644 index 518111d..0000000 --- a/php-7.4.19.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEWlKIB4H3VWCL+BX8kQ3rRvU+oxIFAmCRK6EACgkQkQ3rRvU+ -oxIK6xAA6F+gXg4rh61svifxkt8J0w1L8vDSjFr+9V8v5pFa3qORK+e1AQ9DjySK -BmtjcjlWCO+QYl65mopliZFkuf4GmexxR4pBc2CRp8IeS2eTu97kzyfwzuWsGKVN -zu1lwVtyzk171QzOUfVTa37LL+fWoDFp+srtPZCfHw8Kw1R2zuSh9IMO9zXLvxLF -1RulR05yfv3wEbE91NqlS0obhLcvjVPdzS2bh94UdrvQd+oCSU0DSlc9Hzml6TbI -Ypk4EqiO4O53qfQBp1qehCfVtMrfod9h874jYSQuM+3szZJw5y2OLi4d+GMTWDCd -FZXJYnpSS9qPSsMrRFnKEbm/3w3cTD+y8ys82ONekNaNPYQeOCeq+mee+GkSwF5P -jElw997uxvR7qZmDheXvZkXLtRoGt7TJtL88uedzqMY78PgLcW9+PLyV32aqAi7v -W7GFLfVpqhEmImwsuvOwckAgt+y1B+g6wDpJ7hitOKLq6x8gydxBos4iBYsicKW7 -o2UXoS1Hkwha0EZf3hBmBQ7jKivZ1rM6zAFDMYepFQ8lVAzo48WbxCiBvvUuVin6 -TM1kivfYA2OOlD3d77oyHY7suwU7/NHg+HhSmAs8VgBaIdrER1vY1UK2GXhD29Rr -R550ofXcRsGwiFS+/IzVL22QVil71QmUodRcGp/7E5QuwrNoBfI= -=NYzh ------END PGP SIGNATURE----- diff --git a/php-8.0.0-embed.patch b/php-8.0.0-embed.patch deleted file mode 100644 index 27533ea..0000000 --- a/php-8.0.0-embed.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -up ./sapi/embed/config.m4.embed ./sapi/embed/config.m4 ---- ./sapi/embed/config.m4.embed 2020-07-07 13:51:05.879764972 +0200 -+++ ./sapi/embed/config.m4 2020-07-07 13:52:50.128412148 +0200 -@@ -12,7 +12,8 @@ if test "$PHP_EMBED" != "no"; then - yes|shared) - LIBPHP_CFLAGS="-shared" - PHP_EMBED_TYPE=shared -- INSTALL_IT="\$(mkinstalldirs) \$(INSTALL_ROOT)\$(prefix)/lib; \$(INSTALL) -m 0755 $SAPI_SHARED \$(INSTALL_ROOT)\$(prefix)/lib" -+ EXTRA_LDFLAGS="$EXTRA_LDFLAGS -release \$(PHP_MAJOR_VERSION).\$(PHP_MINOR_VERSION)" -+ INSTALL_IT="\$(mkinstalldirs) \$(INSTALL_ROOT)\$(libdir); \$(LIBTOOL) --mode=install \$(INSTALL) -m 0755 \$(OVERALL_TARGET) \$(INSTALL_ROOT)\$(libdir)" - ;; - static) - LIBPHP_CFLAGS="-static" -diff -up ./scripts/php-config.in.embed ./scripts/php-config.in ---- ./scripts/php-config.in.embed 2020-07-07 12:54:42.000000000 +0200 -+++ ./scripts/php-config.in 2020-07-07 13:51:05.880764968 +0200 -@@ -18,7 +18,7 @@ exe_extension="@EXEEXT@" - php_cli_binary=NONE - php_cgi_binary=NONE - configure_options="@CONFIGURE_OPTIONS@" --php_sapis="@PHP_INSTALLED_SAPIS@" -+php_sapis="apache2handler litespeed fpm phpdbg @PHP_INSTALLED_SAPIS@" - ini_dir="@EXPANDED_PHP_CONFIG_FILE_SCAN_DIR@" - ini_path="@EXPANDED_PHP_CONFIG_FILE_PATH@" - diff --git a/php-8.0.0-phpinfo.patch b/php-8.0.0-phpinfo.patch deleted file mode 100644 index 391d996..0000000 --- a/php-8.0.0-phpinfo.patch +++ /dev/null @@ -1,118 +0,0 @@ - -Drop "Configure Command" from phpinfo as it doesn't -provide any useful information. -The available extensions are not related to this command. - -Replace full GCC name by gcc in php -v output - - -Also apply - -From 9bf43c45908433d382f0499d529849172d0d8206 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Mon, 28 Dec 2020 08:33:09 +0100 -Subject: [PATCH] rename COMPILER and ARCHITECTURE macro (too generic) - ---- - configure.ac | 4 ++-- - ext/standard/info.c | 8 ++++---- - sapi/cli/php_cli.c | 8 ++++---- - win32/build/confutils.js | 10 +++++----- - 4 files changed, 15 insertions(+), 15 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 9d9c8b155b07..143dc061346b 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1289,10 +1289,10 @@ if test -n "${PHP_BUILD_PROVIDER}"; then - AC_DEFINE_UNQUOTED(PHP_BUILD_PROVIDER,"$PHP_BUILD_PROVIDER",[build provider]) - fi - if test -n "${PHP_BUILD_COMPILER}"; then -- AC_DEFINE_UNQUOTED(COMPILER,"$PHP_BUILD_COMPILER",[used compiler for build]) -+ AC_DEFINE_UNQUOTED(PHP_BUILD_COMPILER,"$PHP_BUILD_COMPILER",[used compiler for build]) - fi - if test -n "${PHP_BUILD_ARCH}"; then -- AC_DEFINE_UNQUOTED(ARCHITECTURE,"$PHP_BUILD_ARCH",[build architecture]) -+ AC_DEFINE_UNQUOTED(PHP_BUILD_ARCH,"$PHP_BUILD_ARCH",[build architecture]) - fi - - PHP_SUBST_OLD(PHP_INSTALLED_SAPIS) -diff --git a/ext/standard/info.c b/ext/standard/info.c -index 153cb6cde014..8ceef31d9fe4 100644 ---- a/ext/standard/info.c -+++ b/ext/standard/info.c -@@ -798,11 +798,11 @@ PHPAPI ZEND_COLD void php_print_info(int flag) - #ifdef PHP_BUILD_PROVIDER - php_info_print_table_row(2, "Build Provider", PHP_BUILD_PROVIDER); - #endif --#ifdef COMPILER -- php_info_print_table_row(2, "Compiler", COMPILER); -+#ifdef PHP_BUILD_COMPILER -+ php_info_print_table_row(2, "Compiler", PHP_BUILD_COMPILER); - #endif --#ifdef ARCHITECTURE -- php_info_print_table_row(2, "Architecture", ARCHITECTURE); -+#ifdef PHP_BUILD_ARCH -+ php_info_print_table_row(2, "Architecture", PHP_BUILD_ARCH); - #endif - #ifdef CONFIGURE_COMMAND - php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND ); -diff --git a/sapi/cli/php_cli.c b/sapi/cli/php_cli.c -index 5092fb0ffd68..9d296acec631 100644 ---- a/sapi/cli/php_cli.c -+++ b/sapi/cli/php_cli.c -@@ -640,12 +640,12 @@ static int do_cli(int argc, char **argv) /* {{{ */ - #else - "NTS " - #endif --#ifdef COMPILER -- COMPILER -+#ifdef PHP_BUILD_COMPILER -+ PHP_BUILD_COMPILER - " " - #endif --#ifdef ARCHITECTURE -- ARCHITECTURE -+#ifdef PHP_BUILD_ARCH -+ PHP_BUILD_ARCH - " " - #endif - #if ZEND_DEBUG - -diff -up ./ext/standard/info.c.phpinfo ./ext/standard/info.c ---- ./ext/standard/info.c.phpinfo 2020-07-21 10:49:31.000000000 +0200 -+++ ./ext/standard/info.c 2020-07-21 11:41:56.295633523 +0200 -@@ -804,9 +804,6 @@ PHPAPI ZEND_COLD void php_print_info(int - #ifdef PHP_BUILD_ARCH - php_info_print_table_row(2, "Architecture", PHP_BUILD_ARCH); - #endif --#ifdef CONFIGURE_COMMAND -- php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND ); --#endif - - if (sapi_module.pretty_name) { - php_info_print_table_row(2, "Server API", sapi_module.pretty_name ); -diff -up ./ext/standard/tests/general_functions/phpinfo.phpt.phpinfo ./ext/standard/tests/general_functions/phpinfo.phpt ---- ./ext/standard/tests/general_functions/phpinfo.phpt.phpinfo 2020-07-21 10:49:31.000000000 +0200 -+++ ./ext/standard/tests/general_functions/phpinfo.phpt 2020-07-21 11:41:56.296633522 +0200 -@@ -17,7 +17,6 @@ PHP Version => %s - - System => %s - Build Date => %s%a --Configure Command => %s - Server API => Command Line Interface - Virtual Directory Support => %s - Configuration File (php.ini) Path => %s -diff -up ./sapi/cli/php_cli.c.phpinfo ./sapi/cli/php_cli.c ---- ./sapi/cli/php_cli.c.phpinfo 2020-07-21 11:43:38.812475300 +0200 -+++ ./sapi/cli/php_cli.c 2020-07-21 11:43:45.783464540 +0200 -@@ -641,8 +641,7 @@ static int do_cli(int argc, char **argv) - "NTS " - #endif - #ifdef PHP_BUILD_COMPILER -- PHP_BUILD_COMPILER -- " " -+ "gcc " - #endif - #ifdef PHP_BUILD_ARCH - PHP_BUILD_ARCH diff --git a/php-8.0.10-openssl3.patch b/php-8.0.10-openssl3.patch deleted file mode 100644 index 6070150..0000000 --- a/php-8.0.10-openssl3.patch +++ /dev/null @@ -1,4761 +0,0 @@ -From 3d13d14f318267b27f99025b37a2061c835e0727 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Sun, 8 Aug 2021 17:38:30 +0200 -Subject: [PATCH 01/39] minimal fix for openssl 3.0 (#7002) - -(cherry picked from commit a0972deb0f441fc7991001cb51efc994b70a3b51) ---- - ext/openssl/openssl.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 19e7a0d79e..015cd89aa6 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -1221,7 +1221,9 @@ PHP_MINIT_FUNCTION(openssl) - REGISTER_LONG_CONSTANT("OPENSSL_CMS_NOSIGS", CMS_NOSIGS, CONST_CS|CONST_PERSISTENT); - - REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_PADDING", RSA_PKCS1_PADDING, CONST_CS|CONST_PERSISTENT); -+#ifdef RSA_SSLV23_PADDING - REGISTER_LONG_CONSTANT("OPENSSL_SSLV23_PADDING", RSA_SSLV23_PADDING, CONST_CS|CONST_PERSISTENT); -+#endif - REGISTER_LONG_CONSTANT("OPENSSL_NO_PADDING", RSA_NO_PADDING, CONST_CS|CONST_PERSISTENT); - REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING, CONST_CS|CONST_PERSISTENT); - --- -2.31.1 - -From fc0dbc36e4563a5146aa5345e8520f6601ec7030 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Wed, 4 Aug 2021 09:41:39 +0200 -Subject: [PATCH 02/39] Optimize openssl memory leak test - -Just do one call and check whether memory usage changes. Looping -this 100000 times is extremely slow with debug builds of openssl. - -(cherry picked from commit 6249172ae37f958f0a3ef92cb55d5bf7affa8214) ---- - ext/openssl/tests/bug79145.phpt | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/ext/openssl/tests/bug79145.phpt b/ext/openssl/tests/bug79145.phpt -index 4f3dc9e766..c9c7df2953 100644 ---- a/ext/openssl/tests/bug79145.phpt -+++ b/ext/openssl/tests/bug79145.phpt -@@ -3,7 +3,6 @@ Bug #79145 (openssl memory leak) - --SKIPIF-- - - --FILE-- - - --EXPECT-- - bool(true) --- -2.31.1 - -From da4fbfb99a6dfc9dbaaa04a4bc8068a7e9bfa46c Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Wed, 4 Aug 2021 09:46:07 +0200 -Subject: [PATCH 03/39] Reduce security level in some OpenSSL tests - -This allows tests using older protocols and algorithms to work -under OpenSSL 3. - -Also account for minor changes in error reporting. - -(cherry picked from commit 3ea57cf83834e07aae6953201015e39b4a2ac6dd) ---- - ext/openssl/tests/session_meta_capture.phpt | 4 ++-- - ext/openssl/tests/stream_crypto_flags_001.phpt | 4 ++-- - ext/openssl/tests/stream_crypto_flags_002.phpt | 4 ++-- - ext/openssl/tests/stream_crypto_flags_003.phpt | 4 ++-- - ext/openssl/tests/stream_crypto_flags_004.phpt | 4 ++-- - ext/openssl/tests/stream_security_level.phpt | 4 ++-- - ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt | 4 ++-- - ext/openssl/tests/tls_wrapper.phpt | 4 ++-- - ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt | 4 ++-- - ext/openssl/tests/tlsv1.0_wrapper.phpt | 4 ++-- - ext/openssl/tests/tlsv1.1_wrapper.phpt | 4 ++-- - 11 files changed, 22 insertions(+), 22 deletions(-) - -diff --git a/ext/openssl/tests/session_meta_capture.phpt b/ext/openssl/tests/session_meta_capture.phpt -index 58b48e9c59..8a0f403a15 100644 ---- a/ext/openssl/tests/session_meta_capture.phpt -+++ b/ext/openssl/tests/session_meta_capture.phpt -@@ -15,7 +15,7 @@ $serverCode = <<<'CODE' - $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; - $serverCtx = stream_context_create(['ssl' => [ - 'local_cert' => '%s', -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); -@@ -36,7 +36,7 @@ $clientCode = <<<'CODE' - 'verify_peer' => true, - 'cafile' => '%s', - 'peer_name' => '%s', -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - phpt_wait(); -diff --git a/ext/openssl/tests/stream_crypto_flags_001.phpt b/ext/openssl/tests/stream_crypto_flags_001.phpt -index acd97110ff..a86e0f8a6c 100644 ---- a/ext/openssl/tests/stream_crypto_flags_001.phpt -+++ b/ext/openssl/tests/stream_crypto_flags_001.phpt -@@ -15,7 +15,7 @@ $serverCode = <<<'CODE' - $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; - $serverCtx = stream_context_create(['ssl' => [ - 'local_cert' => '%s', -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); -@@ -35,7 +35,7 @@ $clientCode = <<<'CODE' - 'verify_peer' => true, - 'cafile' => '%s', - 'peer_name' => '%s', -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - phpt_wait(); -diff --git a/ext/openssl/tests/stream_crypto_flags_002.phpt b/ext/openssl/tests/stream_crypto_flags_002.phpt -index 15b1ec2cfc..2870bdc814 100644 ---- a/ext/openssl/tests/stream_crypto_flags_002.phpt -+++ b/ext/openssl/tests/stream_crypto_flags_002.phpt -@@ -15,7 +15,7 @@ $serverCode = <<<'CODE' - $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; - $serverCtx = stream_context_create(['ssl' => [ - 'local_cert' => '%s', -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); -@@ -36,7 +36,7 @@ $clientCode = <<<'CODE' - 'verify_peer' => true, - 'cafile' => '%s', - 'peer_name' => '%s', -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - phpt_wait(); -diff --git a/ext/openssl/tests/stream_crypto_flags_003.phpt b/ext/openssl/tests/stream_crypto_flags_003.phpt -index 35f83f22dd..da1f1ae228 100644 ---- a/ext/openssl/tests/stream_crypto_flags_003.phpt -+++ b/ext/openssl/tests/stream_crypto_flags_003.phpt -@@ -19,7 +19,7 @@ $serverCode = <<<'CODE' - - // Only accept TLSv1.0 and TLSv1.2 connections - 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_0_SERVER | STREAM_CRYPTO_METHOD_TLSv1_2_SERVER, -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); -@@ -40,7 +40,7 @@ $clientCode = <<<'CODE' - 'verify_peer' => true, - 'cafile' => '%s', - 'peer_name' => '%s', -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - phpt_wait(); -diff --git a/ext/openssl/tests/stream_crypto_flags_004.phpt b/ext/openssl/tests/stream_crypto_flags_004.phpt -index d9bfcfea3f..b7626b8ea7 100644 ---- a/ext/openssl/tests/stream_crypto_flags_004.phpt -+++ b/ext/openssl/tests/stream_crypto_flags_004.phpt -@@ -16,7 +16,7 @@ $serverCode = <<<'CODE' - $serverCtx = stream_context_create(['ssl' => [ - 'local_cert' => '%s', - 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_0_SERVER, -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); -@@ -37,7 +37,7 @@ $clientCode = <<<'CODE' - 'verify_peer' => true, - 'cafile' => '%s', - 'peer_name' => '%s', -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - phpt_wait(); -diff --git a/ext/openssl/tests/stream_security_level.phpt b/ext/openssl/tests/stream_security_level.phpt -index 44ba4c6d57..b8a8796de3 100644 ---- a/ext/openssl/tests/stream_security_level.phpt -+++ b/ext/openssl/tests/stream_security_level.phpt -@@ -24,7 +24,7 @@ $serverCode = <<<'CODE' - 'local_cert' => '%s', - // Make sure the server side starts up successfully if the default security level is - // higher. We want to test the error at the client side. -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); -@@ -66,7 +66,7 @@ ServerClientTestCase::getInstance()->run($clientCode, $serverCode); - ?> - --EXPECTF-- - Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: --error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in %s : eval()'d code on line %d -+error:%s:SSL routines:%S:certificate verify failed in %s : eval()'d code on line %d - - Warning: stream_socket_client(): Failed to enable crypto in %s : eval()'d code on line %d - -diff --git a/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt b/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt -index ac31192da4..73dd812291 100644 ---- a/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt -+++ b/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt -@@ -15,7 +15,7 @@ $serverCode = <<<'CODE' - 'local_cert' => '%s', - 'min_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_0, - 'max_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_1, -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); -@@ -32,7 +32,7 @@ $clientCode = <<<'CODE' - $ctx = stream_context_create(['ssl' => [ - 'verify_peer' => false, - 'verify_peer_name' => false, -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - phpt_wait(); -diff --git a/ext/openssl/tests/tls_wrapper.phpt b/ext/openssl/tests/tls_wrapper.phpt -index d79e978c10..3488f6f7f0 100644 ---- a/ext/openssl/tests/tls_wrapper.phpt -+++ b/ext/openssl/tests/tls_wrapper.phpt -@@ -14,7 +14,7 @@ $serverCode = <<<'CODE' - $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; - $ctx = stream_context_create(['ssl' => [ - 'local_cert' => '%s', -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); -@@ -31,7 +31,7 @@ $clientCode = <<<'CODE' - $ctx = stream_context_create(['ssl' => [ - 'verify_peer' => false, - 'verify_peer_name' => false, -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - phpt_wait(); -diff --git a/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt b/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt -index b419179b3f..c8a0245601 100644 ---- a/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt -+++ b/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt -@@ -14,7 +14,7 @@ $serverCode = <<<'CODE' - $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; - $ctx = stream_context_create(['ssl' => [ - 'local_cert' => '%s', -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); -@@ -31,7 +31,7 @@ $clientCode = <<<'CODE' - $ctx = stream_context_create(['ssl' => [ - 'verify_peer' => false, - 'verify_peer_name' => false, -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - phpt_wait(); -diff --git a/ext/openssl/tests/tlsv1.0_wrapper.phpt b/ext/openssl/tests/tlsv1.0_wrapper.phpt -index adbe7b6308..fc802662ac 100644 ---- a/ext/openssl/tests/tlsv1.0_wrapper.phpt -+++ b/ext/openssl/tests/tlsv1.0_wrapper.phpt -@@ -13,7 +13,7 @@ $serverCode = <<<'CODE' - $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; - $ctx = stream_context_create(['ssl' => [ - 'local_cert' => '%s', -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - $server = stream_socket_server('tlsv1.0://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); -@@ -30,7 +30,7 @@ $clientCode = <<<'CODE' - $ctx = stream_context_create(['ssl' => [ - 'verify_peer' => false, - 'verify_peer_name' => false, -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - phpt_wait(); -diff --git a/ext/openssl/tests/tlsv1.1_wrapper.phpt b/ext/openssl/tests/tlsv1.1_wrapper.phpt -index c1aaa04919..84a137b5f4 100644 ---- a/ext/openssl/tests/tlsv1.1_wrapper.phpt -+++ b/ext/openssl/tests/tlsv1.1_wrapper.phpt -@@ -13,7 +13,7 @@ $serverCode = <<<'CODE' - $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; - $ctx = stream_context_create(['ssl' => [ - 'local_cert' => '%s', -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - $server = stream_socket_server('tlsv1.1://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); -@@ -30,7 +30,7 @@ $clientCode = <<<'CODE' - $ctx = stream_context_create(['ssl' => [ - 'verify_peer' => false, - 'verify_peer_name' => false, -- 'security_level' => 1, -+ 'security_level' => 0, - ]]); - - phpt_wait(); --- -2.31.1 - -From fe770720985c5f31a79528528be0aa8e0e56a389 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Wed, 4 Aug 2021 09:57:40 +0200 -Subject: [PATCH 04/39] Adjust some tests for whitespace differences in OpenSSL - 3 - -A trailing newline is no longer present in OpenSSL 3. - -(cherry picked from commit 0a530d7650c6f9cb7c1b55755c8bf5961052039c) ---- - ext/openssl/tests/bug28382.phpt | 17 +++++++---------- - ext/openssl/tests/cve2013_4073.phpt | 5 ++--- - ext/openssl/tests/openssl_x509_parse_basic.phpt | 10 ++++------ - 3 files changed, 13 insertions(+), 19 deletions(-) - -diff --git a/ext/openssl/tests/bug28382.phpt b/ext/openssl/tests/bug28382.phpt -index 3d8cb528ba..00765ba838 100644 ---- a/ext/openssl/tests/bug28382.phpt -+++ b/ext/openssl/tests/bug28382.phpt -@@ -9,11 +9,10 @@ if (!extension_loaded("openssl")) die("skip"); - $cert = file_get_contents(__DIR__ . "/bug28382cert.txt"); - $ext = openssl_x509_parse($cert); - var_dump($ext['extensions']); --/* openssl 1.0 prepends the string "Full Name:" to the crlDistributionPoints array key. -- For now, as this is the one difference only between 0.9.x and 1.x, it's handled with -- placeholders to not to duplicate the test. When more diffs come, a duplication would -- be probably a better solution. --*/ -+/* -+ * The reason for %A at the end of crlDistributionPoints and authorityKeyIdentifier is that -+ * OpenSSL 3.0 removes new lines which were present in previous versions. -+ */ - ?> - --EXPECTF-- - array(11) { -@@ -24,8 +23,7 @@ array(11) { - ["nsCertType"]=> - string(30) "SSL Client, SSL Server, S/MIME" - ["crlDistributionPoints"]=> -- string(%d) "%AURI:http://mobile.blue-software.ro:90/ca/crl.shtml --" -+ string(%d) "%AURI:http://mobile.blue-software.ro:90/ca/crl.shtml%A" - ["nsCaPolicyUrl"]=> - string(38) "http://mobile.blue-software.ro:90/pub/" - ["subjectAltName"]=> -@@ -33,9 +31,8 @@ array(11) { - ["subjectKeyIdentifier"]=> - string(59) "B0:A7:FF:F9:41:15:DE:23:39:BD:DD:31:0F:97:A0:B2:A2:74:E0:FC" - ["authorityKeyIdentifier"]=> -- string(115) "DirName:/C=RO/ST=Romania/L=Craiova/O=Sergiu/OU=Sergiu SRL/CN=Sergiu CA/emailAddress=n_sergiu@hotmail.com --serial:00 --" -+ string(%d) "DirName:/C=RO/ST=Romania/L=Craiova/O=Sergiu/OU=Sergiu SRL/CN=Sergiu CA/emailAddress=n_sergiu@hotmail.com -+serial:00%A" - ["keyUsage"]=> - string(71) "Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment" - ["nsBaseUrl"]=> -diff --git a/ext/openssl/tests/cve2013_4073.phpt b/ext/openssl/tests/cve2013_4073.phpt -index c88021b0ae..5cd05ab040 100644 ---- a/ext/openssl/tests/cve2013_4073.phpt -+++ b/ext/openssl/tests/cve2013_4073.phpt -@@ -9,11 +9,10 @@ $info = openssl_x509_parse($cert); - var_export($info['extensions']); - - ?> ----EXPECT-- -+--EXPECTF-- - array ( - 'basicConstraints' => 'CA:FALSE', - 'subjectKeyIdentifier' => '88:5A:55:C0:52:FF:61:CD:52:A3:35:0F:EA:5A:9C:24:38:22:F7:5C', - 'keyUsage' => 'Digital Signature, Non Repudiation, Key Encipherment', -- 'subjectAltName' => 'DNS:altnull.python.org' . "\0" . 'example.com, email:null@python.org' . "\0" . 'user@example.org, URI:http://null.python.org' . "\0" . 'http://example.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1 --', -+ 'subjectAltName' => 'DNS:altnull.python.org' . "\0" . 'example.com, email:null@python.org' . "\0" . 'user@example.org, URI:http://null.python.org' . "\0" . 'http://example.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1%A', - ) -diff --git a/ext/openssl/tests/openssl_x509_parse_basic.phpt b/ext/openssl/tests/openssl_x509_parse_basic.phpt -index b80c1f71f1..38915157f3 100644 ---- a/ext/openssl/tests/openssl_x509_parse_basic.phpt -+++ b/ext/openssl/tests/openssl_x509_parse_basic.phpt -@@ -153,10 +153,9 @@ array(16) { - ["subjectKeyIdentifier"]=> - string(59) "DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D" - ["authorityKeyIdentifier"]=> -- string(202) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D -+ string(%d) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D - DirName:/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N. Angelo/emailAddress=hnangelo@php.net --serial:AE:C5:56:CC:72:37:50:A2 --" -+serial:AE:C5:56:CC:72:37:50:A2%A" - ["basicConstraints"]=> - string(7) "CA:TRUE" - } -@@ -301,10 +300,9 @@ array(16) { - ["subjectKeyIdentifier"]=> - string(59) "DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D" - ["authorityKeyIdentifier"]=> -- string(202) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D -+ string(%d) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D - DirName:/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N. Angelo/emailAddress=hnangelo@php.net --serial:AE:C5:56:CC:72:37:50:A2 --" -+serial:AE:C5:56:CC:72:37:50:A2%A" - ["basicConstraints"]=> - string(7) "CA:TRUE" - } --- -2.31.1 - -From 676a47080bed2730b892e4ea43b93deb4acea335 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Wed, 4 Aug 2021 11:55:47 +0200 -Subject: [PATCH 05/39] Use different cipher in openssl_seal() test - -RC4 is insecure and not supported in newer versions. - -(cherry picked from commit 046b36bcf8c062375c9f5e2a763d6144c2a484b4) ---- - ext/openssl/tests/openssl_seal_basic.phpt | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/ext/openssl/tests/openssl_seal_basic.phpt b/ext/openssl/tests/openssl_seal_basic.phpt -index 16efb05a66..e23045c992 100644 ---- a/ext/openssl/tests/openssl_seal_basic.phpt -+++ b/ext/openssl/tests/openssl_seal_basic.phpt -@@ -9,7 +9,7 @@ $a = 1; - $b = array(1); - $c = array(1); - $d = array(1); --$method = "RC4"; -+$method = "AES-128-ECB"; - - var_dump(openssl_seal($a, $b, $c, $d, $method)); - -@@ -41,8 +41,8 @@ var_dump(openssl_seal($data, $sealed, $ekeys, array($wrong), $method)); - Warning: openssl_seal(): Not a public key (1th member of pubkeys) in %s on line %d - bool(false) - openssl_seal(): Argument #4 ($public_key) cannot be empty --int(19) --int(19) -+int(32) -+int(32) - - Warning: openssl_seal(): Not a public key (2th member of pubkeys) in %s on line %d - bool(false) --- -2.31.1 - -From 389b4605281975d4ecac92cb3751d18d2e3fd60a Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Wed, 4 Aug 2021 11:58:46 +0200 -Subject: [PATCH 06/39] Don't test legacy algorithms in SPKI tests - -MD4 and RMD160 may not be available on newer OpenSSL versions. - -(cherry picked from commit 9695936341c49ea0efec5bdf24acbcdf59e2a7f8) ---- - ext/openssl/tests/openssl_spki_export_basic.phpt | 4 ---- - .../tests/openssl_spki_export_challenge_basic.phpt | 14 -------------- - ext/openssl/tests/openssl_spki_new_basic.phpt | 8 -------- - ext/openssl/tests/openssl_spki_verify_basic.phpt | 7 ------- - 4 files changed, 33 deletions(-) - -diff --git a/ext/openssl/tests/openssl_spki_export_basic.phpt b/ext/openssl/tests/openssl_spki_export_basic.phpt -index 4085d2d5d8..c03954390b 100644 ---- a/ext/openssl/tests/openssl_spki_export_basic.phpt -+++ b/ext/openssl/tests/openssl_spki_export_basic.phpt -@@ -19,14 +19,12 @@ foreach ($key_sizes as $key_size) { - - /* array of available hashings to test */ - $algo = array( -- OPENSSL_ALGO_MD4, - OPENSSL_ALGO_MD5, - OPENSSL_ALGO_SHA1, - OPENSSL_ALGO_SHA224, - OPENSSL_ALGO_SHA256, - OPENSSL_ALGO_SHA384, - OPENSSL_ALGO_SHA512, -- OPENSSL_ALGO_RMD160 - ); - - /* loop over key sizes for test */ -@@ -56,5 +54,3 @@ function _uuid() { - \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- - \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- - \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- --\-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- --\-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- -diff --git a/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt b/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt -index f44e60ec62..06308bf10c 100644 ---- a/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt -+++ b/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt -@@ -21,14 +21,12 @@ foreach ($key_sizes as $key_size) { - - /* array of available hashings to test */ - $algo = array( -- OPENSSL_ALGO_MD4, - OPENSSL_ALGO_MD5, - OPENSSL_ALGO_SHA1, - OPENSSL_ALGO_SHA224, - OPENSSL_ALGO_SHA256, - OPENSSL_ALGO_SHA384, - OPENSSL_ALGO_SHA512, -- OPENSSL_ALGO_RMD160 - ); - - /* loop over key sizes for test */ -@@ -89,15 +87,3 @@ string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" - bool\(false\) - string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" - bool\(false\) --string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" --bool\(false\) --string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" --bool\(false\) --string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" --bool\(false\) --string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" --bool\(false\) --string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" --bool\(false\) --string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" --bool\(false\) -diff --git a/ext/openssl/tests/openssl_spki_new_basic.phpt b/ext/openssl/tests/openssl_spki_new_basic.phpt -index cb54747fe0..8378bd1ac6 100644 ---- a/ext/openssl/tests/openssl_spki_new_basic.phpt -+++ b/ext/openssl/tests/openssl_spki_new_basic.phpt -@@ -18,14 +18,12 @@ foreach ($key_sizes as $key_size) { - - /* array of available hashings to test */ - $algo = array( -- OPENSSL_ALGO_MD4, - OPENSSL_ALGO_MD5, - OPENSSL_ALGO_SHA1, - OPENSSL_ALGO_SHA224, - OPENSSL_ALGO_SHA256, - OPENSSL_ALGO_SHA384, - OPENSSL_ALGO_SHA512, -- OPENSSL_ALGO_RMD160 - ); - - /* loop over key sizes for test */ -@@ -53,21 +51,15 @@ string(478) "%s" - string(478) "%s" - string(478) "%s" - string(478) "%s" --string(478) "%s" --string(474) "%s" --string(830) "%s" - string(830) "%s" - string(830) "%s" - string(830) "%s" - string(830) "%s" - string(830) "%s" - string(830) "%s" --string(826) "%s" --string(1510) "%s" - string(1510) "%s" - string(1510) "%s" - string(1510) "%s" - string(1510) "%s" - string(1510) "%s" - string(1510) "%s" --string(1506) "%s" -diff --git a/ext/openssl/tests/openssl_spki_verify_basic.phpt b/ext/openssl/tests/openssl_spki_verify_basic.phpt -index c760d0cb83..35badcda37 100644 ---- a/ext/openssl/tests/openssl_spki_verify_basic.phpt -+++ b/ext/openssl/tests/openssl_spki_verify_basic.phpt -@@ -25,7 +25,6 @@ $algo = array( - OPENSSL_ALGO_SHA256, - OPENSSL_ALGO_SHA384, - OPENSSL_ALGO_SHA512, -- OPENSSL_ALGO_RMD160 - ); - - /* loop over key sizes for test */ -@@ -80,9 +79,3 @@ bool(true) - bool(false) - bool(true) - bool(false) --bool(true) --bool(false) --bool(true) --bool(false) --bool(true) --bool(false) --- -2.31.1 - -From 054aeebb623e6d4a055a4bab60a864f8c7f65675 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Wed, 4 Aug 2021 12:48:02 +0200 -Subject: [PATCH 07/39] Only report provided ciphers in - openssl_get_cipher_methods() - -With OpenSSL 3 ciphers may be registered, but not provided. Make -sure that openssl_get_cipher_methods() only returns provided -ciphers, so that "in_array openssl_get_cipher_methods" style -checks continue working as expected. - -(cherry picked from commit a80ae97d3176aded77ee422772608a026380fc1a) ---- - ext/openssl/openssl.c | 34 +++++++++++++++++++++++++++++++++- - ext/openssl/php_openssl.h | 4 +++- - 2 files changed, 36 insertions(+), 2 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 015cd89aa6..4ffa2185fb 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -6798,6 +6798,31 @@ PHP_FUNCTION(openssl_get_md_methods) - } - /* }}} */ - -+#if PHP_OPENSSL_API_VERSION >= 0x30000 -+static void php_openssl_add_cipher_name(const char *name, void *arg) -+{ -+ size_t len = strlen(name); -+ zend_string *str = zend_string_alloc(len, 0); -+ zend_str_tolower_copy(ZSTR_VAL(str), name, len); -+ add_next_index_str((zval*)arg, str); -+} -+ -+static void php_openssl_add_cipher_or_alias(EVP_CIPHER *cipher, void *arg) -+{ -+ EVP_CIPHER_names_do_all(cipher, php_openssl_add_cipher_name, arg); -+} -+ -+static void php_openssl_add_cipher(EVP_CIPHER *cipher, void *arg) -+{ -+ php_openssl_add_cipher_name(EVP_CIPHER_get0_name(cipher), arg); -+} -+ -+static int php_openssl_compare_func(Bucket *a, Bucket *b) -+{ -+ return string_compare_function(&a->val, &b->val); -+} -+#endif -+ - /* {{{ Return array of available cipher algorithms */ - PHP_FUNCTION(openssl_get_cipher_methods) - { -@@ -6807,9 +6832,16 @@ PHP_FUNCTION(openssl_get_cipher_methods) - RETURN_THROWS(); - } - array_init(return_value); -+#if PHP_OPENSSL_API_VERSION >= 0x30000 -+ EVP_CIPHER_do_all_provided(NULL, -+ aliases ? php_openssl_add_cipher_or_alias : php_openssl_add_cipher, -+ return_value); -+ zend_hash_sort(Z_ARRVAL_P(return_value), php_openssl_compare_func, 1); -+#else - OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, -- aliases ? php_openssl_add_method_or_alias: php_openssl_add_method, -+ aliases ? php_openssl_add_method_or_alias : php_openssl_add_method, - return_value); -+#endif - } - /* }}} */ - -diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h -index c674ead34b..16bad9e6b0 100644 ---- a/ext/openssl/php_openssl.h -+++ b/ext/openssl/php_openssl.h -@@ -39,8 +39,10 @@ extern zend_module_entry openssl_module_entry; - #define PHP_OPENSSL_API_VERSION 0x10001 - #elif OPENSSL_VERSION_NUMBER < 0x10100000L - #define PHP_OPENSSL_API_VERSION 0x10002 --#else -+#elif OPENSSL_VERSION_NUMBER < 0x30000000L - #define PHP_OPENSSL_API_VERSION 0x10100 -+#else -+#define PHP_OPENSSL_API_VERSION 0x30000 - #endif - #endif - --- -2.31.1 - -From 62fbe1839d980583156b0d22c49753c4666e73e8 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Wed, 4 Aug 2021 12:05:02 +0200 -Subject: [PATCH 08/39] Avoid RC4 use in another test - -(cherry picked from commit 503146aa87e48f075f47a093ed7868e323814a66) ---- - ext/openssl/tests/openssl_open_basic.phpt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ext/openssl/tests/openssl_open_basic.phpt b/ext/openssl/tests/openssl_open_basic.phpt -index 5e551c507f..271a878cdf 100644 ---- a/ext/openssl/tests/openssl_open_basic.phpt -+++ b/ext/openssl/tests/openssl_open_basic.phpt -@@ -8,7 +8,7 @@ $data = "openssl_open() test"; - $pub_key = "file://" . __DIR__ . "/public.key"; - $priv_key = "file://" . __DIR__ . "/private_rsa_1024.key"; - $wrong = "wrong"; --$method = "RC4"; -+$method = "AES-128-ECB"; - - openssl_seal($data, $sealed, $ekeys, array($pub_key, $pub_key, $pub_key), $method); - openssl_open($sealed, $output, $ekeys[0], $priv_key, $method); --- -2.31.1 - -From 95e6b2c67de6a63d059b678d14f291487f563163 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Wed, 4 Aug 2021 15:47:14 +0200 -Subject: [PATCH 09/39] Use EVP_PKEY API for - openssl_public_encrypt/private_decrypt - -Use the high level API instead of the deprecated low level API. - -(cherry picked from commit 0233afae2762a7e7be49935ebbb981783c471d13) ---- - ext/openssl/openssl.c | 117 +++++++----------- - .../tests/openssl_error_string_basic.phpt | 2 +- - 2 files changed, 45 insertions(+), 74 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 4ffa2185fb..64840da451 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -6230,11 +6230,6 @@ PHP_FUNCTION(openssl_private_encrypt) - PHP_FUNCTION(openssl_private_decrypt) - { - zval *key, *crypted; -- EVP_PKEY *pkey; -- int cryptedlen; -- zend_string *cryptedbuf = NULL; -- unsigned char *crypttemp; -- int successful = 0; - zend_long padding = RSA_PKCS1_PADDING; - char * data; - size_t data_len; -@@ -6243,11 +6238,7 @@ PHP_FUNCTION(openssl_private_decrypt) - RETURN_THROWS(); - } - -- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1); -- -- RETVAL_FALSE; -- -- pkey = php_openssl_pkey_from_zval(key, 0, "", 0); -+ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 0, "", 0); - if (pkey == NULL) { - if (!EG(exception)) { - php_error_docref(NULL, E_WARNING, "key parameter is not a valid private key"); -@@ -6255,42 +6246,33 @@ PHP_FUNCTION(openssl_private_decrypt) - RETURN_FALSE; - } - -- cryptedlen = EVP_PKEY_size(pkey); -- crypttemp = emalloc(cryptedlen + 1); -- -- switch (EVP_PKEY_id(pkey)) { -- case EVP_PKEY_RSA: -- case EVP_PKEY_RSA2: -- cryptedlen = RSA_private_decrypt((int)data_len, -- (unsigned char *)data, -- crypttemp, -- EVP_PKEY_get0_RSA(pkey), -- (int)padding); -- if (cryptedlen != -1) { -- cryptedbuf = zend_string_alloc(cryptedlen, 0); -- memcpy(ZSTR_VAL(cryptedbuf), crypttemp, cryptedlen); -- successful = 1; -- } -- break; -- default: -- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!"); -+ size_t out_len = 0; -+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL); -+ if (!ctx || EVP_PKEY_decrypt_init(ctx) <= 0 || -+ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 || -+ EVP_PKEY_decrypt(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) { -+ php_openssl_store_errors(); -+ RETVAL_FALSE; -+ goto cleanup; - } - -- efree(crypttemp); -- -- if (successful) { -- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0'; -- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf); -- cryptedbuf = NULL; -- RETVAL_TRUE; -- } else { -+ zend_string *out = zend_string_alloc(out_len, 0); -+ if (EVP_PKEY_decrypt(ctx, (unsigned char *) ZSTR_VAL(out), &out_len, -+ (unsigned char *) data, data_len) <= 0) { -+ zend_string_release(out); - php_openssl_store_errors(); -+ RETVAL_FALSE; -+ goto cleanup; - } - -+ out = zend_string_truncate(out, out_len, 0); -+ ZSTR_VAL(out)[out_len] = '\0'; -+ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out); -+ RETVAL_TRUE; -+ -+cleanup: -+ EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); -- if (cryptedbuf) { -- zend_string_release_ex(cryptedbuf, 0); -- } - } - /* }}} */ - -@@ -6298,10 +6280,6 @@ PHP_FUNCTION(openssl_private_decrypt) - PHP_FUNCTION(openssl_public_encrypt) - { - zval *key, *crypted; -- EVP_PKEY *pkey; -- int cryptedlen; -- zend_string *cryptedbuf; -- int successful = 0; - zend_long padding = RSA_PKCS1_PADDING; - char * data; - size_t data_len; -@@ -6310,11 +6288,7 @@ PHP_FUNCTION(openssl_public_encrypt) - RETURN_THROWS(); - } - -- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1); -- -- RETVAL_FALSE; -- -- pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0); -+ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0); - if (pkey == NULL) { - if (!EG(exception)) { - php_error_docref(NULL, E_WARNING, "key parameter is not a valid public key"); -@@ -6322,35 +6296,32 @@ PHP_FUNCTION(openssl_public_encrypt) - RETURN_FALSE; - } - -- cryptedlen = EVP_PKEY_size(pkey); -- cryptedbuf = zend_string_alloc(cryptedlen, 0); -- -- switch (EVP_PKEY_id(pkey)) { -- case EVP_PKEY_RSA: -- case EVP_PKEY_RSA2: -- successful = (RSA_public_encrypt((int)data_len, -- (unsigned char *)data, -- (unsigned char *)ZSTR_VAL(cryptedbuf), -- EVP_PKEY_get0_RSA(pkey), -- (int)padding) == cryptedlen); -- break; -- default: -- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!"); -- -+ size_t out_len = 0; -+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL); -+ if (!ctx || EVP_PKEY_encrypt_init(ctx) <= 0 || -+ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 || -+ EVP_PKEY_encrypt(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) { -+ php_openssl_store_errors(); -+ RETVAL_FALSE; -+ goto cleanup; - } - -- if (successful) { -- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0'; -- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf); -- cryptedbuf = NULL; -- RETVAL_TRUE; -- } else { -+ zend_string *out = zend_string_alloc(out_len, 0); -+ if (EVP_PKEY_encrypt(ctx, (unsigned char *) ZSTR_VAL(out), &out_len, -+ (unsigned char *) data, data_len) <= 0) { -+ zend_string_release(out); - php_openssl_store_errors(); -+ RETVAL_FALSE; -+ goto cleanup; - } -+ -+ ZSTR_VAL(out)[out_len] = '\0'; -+ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out); -+ RETVAL_TRUE; -+ -+cleanup: -+ EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); -- if (cryptedbuf) { -- zend_string_release_ex(cryptedbuf, 0); -- } - } - /* }}} */ - -diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt -index b55b7ced44..eb76dfbf77 100644 ---- a/ext/openssl/tests/openssl_error_string_basic.phpt -+++ b/ext/openssl/tests/openssl_error_string_basic.phpt -@@ -119,7 +119,7 @@ expect_openssl_errors('openssl_private_decrypt', ['04065072']); - // public encrypt and decrypt with failed padding check and padding - @openssl_public_encrypt("data", $crypted, $public_key_file, 1000); - @openssl_public_decrypt("data", $crypted, $public_key_file); --expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '04068076', '04067072']); -+expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '0408F090', '04067072']); - - // X509 - echo "X509 errors\n"; --- -2.31.1 - -From b29b719e4741cde6d1e441e0340f038976cb461b Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Wed, 4 Aug 2021 16:56:32 +0200 -Subject: [PATCH 10/39] Use EVP_PKEY APIs for - openssl_private_encrypt/public_decrypt - -Use high level APIs instead of deprecated low level APIs. - -(cherry picked from commit 384ad6e22412756d7a2fa7a4c35579f041784e59) ---- - ext/openssl/openssl.c | 119 +++++++----------- - .../tests/openssl_error_string_basic.phpt | 2 +- - 2 files changed, 45 insertions(+), 76 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 64840da451..4e9b949b5f 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -6170,10 +6170,6 @@ clean_exit: - PHP_FUNCTION(openssl_private_encrypt) - { - zval *key, *crypted; -- EVP_PKEY *pkey; -- int cryptedlen; -- zend_string *cryptedbuf = NULL; -- int successful = 0; - char * data; - size_t data_len; - zend_long padding = RSA_PKCS1_PADDING; -@@ -6182,12 +6178,7 @@ PHP_FUNCTION(openssl_private_encrypt) - RETURN_THROWS(); - } - -- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1); -- -- RETVAL_FALSE; -- -- pkey = php_openssl_pkey_from_zval(key, 0, "", 0); -- -+ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 0, "", 0); - if (pkey == NULL) { - if (!EG(exception)) { - php_error_docref(NULL, E_WARNING, "key param is not a valid private key"); -@@ -6195,33 +6186,31 @@ PHP_FUNCTION(openssl_private_encrypt) - RETURN_FALSE; - } - -- cryptedlen = EVP_PKEY_size(pkey); -- cryptedbuf = zend_string_alloc(cryptedlen, 0); -- -- switch (EVP_PKEY_id(pkey)) { -- case EVP_PKEY_RSA: -- case EVP_PKEY_RSA2: -- successful = (RSA_private_encrypt((int)data_len, -- (unsigned char *)data, -- (unsigned char *)ZSTR_VAL(cryptedbuf), -- EVP_PKEY_get0_RSA(pkey), -- (int)padding) == cryptedlen); -- break; -- default: -- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!"); -+ size_t out_len = 0; -+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL); -+ if (!ctx || EVP_PKEY_sign_init(ctx) <= 0 || -+ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 || -+ EVP_PKEY_sign(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) { -+ php_openssl_store_errors(); -+ RETVAL_FALSE; -+ goto cleanup; - } - -- if (successful) { -- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0'; -- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf); -- cryptedbuf = NULL; -- RETVAL_TRUE; -- } else { -+ zend_string *out = zend_string_alloc(out_len, 0); -+ if (EVP_PKEY_sign(ctx, (unsigned char *) ZSTR_VAL(out), &out_len, -+ (unsigned char *) data, data_len) <= 0) { -+ zend_string_release(out); - php_openssl_store_errors(); -+ RETVAL_FALSE; -+ goto cleanup; - } -- if (cryptedbuf) { -- zend_string_release_ex(cryptedbuf, 0); -- } -+ -+ ZSTR_VAL(out)[out_len] = '\0'; -+ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out); -+ RETVAL_TRUE; -+ -+cleanup: -+ EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); - } - /* }}} */ -@@ -6329,11 +6318,6 @@ cleanup: - PHP_FUNCTION(openssl_public_decrypt) - { - zval *key, *crypted; -- EVP_PKEY *pkey; -- int cryptedlen; -- zend_string *cryptedbuf = NULL; -- unsigned char *crypttemp; -- int successful = 0; - zend_long padding = RSA_PKCS1_PADDING; - char * data; - size_t data_len; -@@ -6342,11 +6326,7 @@ PHP_FUNCTION(openssl_public_decrypt) - RETURN_THROWS(); - } - -- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1); -- -- RETVAL_FALSE; -- -- pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0); -+ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0); - if (pkey == NULL) { - if (!EG(exception)) { - php_error_docref(NULL, E_WARNING, "key parameter is not a valid public key"); -@@ -6354,43 +6334,32 @@ PHP_FUNCTION(openssl_public_decrypt) - RETURN_FALSE; - } - -- cryptedlen = EVP_PKEY_size(pkey); -- crypttemp = emalloc(cryptedlen + 1); -- -- switch (EVP_PKEY_id(pkey)) { -- case EVP_PKEY_RSA: -- case EVP_PKEY_RSA2: -- cryptedlen = RSA_public_decrypt((int)data_len, -- (unsigned char *)data, -- crypttemp, -- EVP_PKEY_get0_RSA(pkey), -- (int)padding); -- if (cryptedlen != -1) { -- cryptedbuf = zend_string_alloc(cryptedlen, 0); -- memcpy(ZSTR_VAL(cryptedbuf), crypttemp, cryptedlen); -- successful = 1; -- } -- break; -- -- default: -- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!"); -- -+ size_t out_len = 0; -+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL); -+ if (!ctx || EVP_PKEY_verify_recover_init(ctx) <= 0 || -+ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 || -+ EVP_PKEY_verify_recover(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) { -+ php_openssl_store_errors(); -+ RETVAL_FALSE; -+ goto cleanup; - } - -- efree(crypttemp); -- -- if (successful) { -- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0'; -- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf); -- cryptedbuf = NULL; -- RETVAL_TRUE; -- } else { -+ zend_string *out = zend_string_alloc(out_len, 0); -+ if (EVP_PKEY_verify_recover(ctx, (unsigned char *) ZSTR_VAL(out), &out_len, -+ (unsigned char *) data, data_len) <= 0) { -+ zend_string_release(out); - php_openssl_store_errors(); -+ RETVAL_FALSE; -+ goto cleanup; - } - -- if (cryptedbuf) { -- zend_string_release_ex(cryptedbuf, 0); -- } -+ out = zend_string_truncate(out, out_len, 0); -+ ZSTR_VAL(out)[out_len] = '\0'; -+ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out); -+ RETVAL_TRUE; -+ -+cleanup: -+ EVP_PKEY_CTX_free(ctx); - EVP_PKEY_free(pkey); - } - /* }}} */ -diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt -index eb76dfbf77..f3eb82067b 100644 ---- a/ext/openssl/tests/openssl_error_string_basic.phpt -+++ b/ext/openssl/tests/openssl_error_string_basic.phpt -@@ -112,7 +112,7 @@ expect_openssl_errors('openssl_pkey_export', ['06065064', '0906A065']); - expect_openssl_errors('openssl_pkey_get_public', [$err_pem_no_start_line]); - // private encrypt with unknown padding - @openssl_private_encrypt("data", $crypted, $private_key_file, 1000); --expect_openssl_errors('openssl_private_encrypt', ['04066076']); -+expect_openssl_errors('openssl_private_encrypt', ['0408F090']); - // private decrypt with failed padding check - @openssl_private_decrypt("data", $crypted, $private_key_file); - expect_openssl_errors('openssl_private_decrypt', ['04065072']); --- -2.31.1 - -From bfdbdfb6bf128c157adfba402b89b0f82be993ab Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Thu, 5 Aug 2021 10:29:50 +0200 -Subject: [PATCH 11/39] Use EVP_PKEY APIs for key generation - -Use high level API instead of deprecated low level API. - -(cherry picked from commit 13313d9b1b9fa014fe6f92c496477e28f4f11772) ---- - ext/openssl/openssl.c | 210 +++++++++++++++----------------- - ext/openssl/tests/bug80747.phpt | 4 +- - 2 files changed, 101 insertions(+), 113 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 4e9b949b5f..d260670ff9 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -3656,140 +3656,130 @@ static EVP_PKEY *php_openssl_pkey_from_zval(zval *val, int public_key, char *pas - return key; - } - -+static int php_openssl_get_evp_pkey_type(int key_type) { -+ switch (key_type) { -+ case OPENSSL_KEYTYPE_RSA: -+ return EVP_PKEY_RSA; -+#if !defined(NO_DSA) -+ case OPENSSL_KEYTYPE_DSA: -+ return EVP_PKEY_DSA; -+#endif -+#if !defined(NO_DH) -+ case OPENSSL_KEYTYPE_DH: -+ return EVP_PKEY_DH; -+#endif -+#ifdef HAVE_EVP_PKEY_EC -+ case OPENSSL_KEYTYPE_EC: -+ return EVP_PKEY_EC; -+#endif -+ default: -+ return -1; -+ } -+} -+ - /* {{{ php_openssl_generate_private_key */ - static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req) - { -- char * randfile = NULL; -- int egdsocket, seeded; -- EVP_PKEY * return_val = NULL; -- - if (req->priv_key_bits < MIN_KEY_LENGTH) { - php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d", - MIN_KEY_LENGTH, req->priv_key_bits); - return NULL; - } - -- randfile = php_openssl_conf_get_string(req->req_config, req->section_name, "RANDFILE"); -+ int type = php_openssl_get_evp_pkey_type(req->priv_key_type); -+ if (type < 0) { -+ php_error_docref(NULL, E_WARNING, "Unsupported private key type"); -+ return NULL; -+ } -+ -+ int egdsocket, seeded; -+ char *randfile = php_openssl_conf_get_string(req->req_config, req->section_name, "RANDFILE"); - php_openssl_load_rand_file(randfile, &egdsocket, &seeded); -+ PHP_OPENSSL_RAND_ADD_TIME(); - -- if ((req->priv_key = EVP_PKEY_new()) != NULL) { -- switch(req->priv_key_type) { -- case OPENSSL_KEYTYPE_RSA: -- { -- RSA* rsaparam; --#if OPENSSL_VERSION_NUMBER < 0x10002000L -- /* OpenSSL 1.0.2 deprecates RSA_generate_key */ -- PHP_OPENSSL_RAND_ADD_TIME(); -- rsaparam = (RSA*)RSA_generate_key(req->priv_key_bits, RSA_F4, NULL, NULL); --#else -- { -- BIGNUM *bne = (BIGNUM *)BN_new(); -- if (BN_set_word(bne, RSA_F4) != 1) { -- BN_free(bne); -- php_error_docref(NULL, E_WARNING, "Failed setting exponent"); -- return NULL; -- } -- rsaparam = RSA_new(); -- PHP_OPENSSL_RAND_ADD_TIME(); -- if (rsaparam == NULL || !RSA_generate_key_ex(rsaparam, req->priv_key_bits, bne, NULL)) { -- php_openssl_store_errors(); -- RSA_free(rsaparam); -- rsaparam = NULL; -- } -- BN_free(bne); -- } --#endif -- if (rsaparam && EVP_PKEY_assign_RSA(req->priv_key, rsaparam)) { -- return_val = req->priv_key; -- } else { -- php_openssl_store_errors(); -- } -- } -- break; -+ EVP_PKEY *key = NULL; -+ EVP_PKEY *params = NULL; -+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(type, NULL); -+ if (!ctx) { -+ php_openssl_store_errors(); -+ goto cleanup; -+ } -+ -+ if (type != EVP_PKEY_RSA) { -+ if (EVP_PKEY_paramgen_init(ctx) <= 0) { -+ php_openssl_store_errors(); -+ goto cleanup; -+ } -+ -+ switch (type) { - #if !defined(NO_DSA) -- case OPENSSL_KEYTYPE_DSA: -- PHP_OPENSSL_RAND_ADD_TIME(); -- { -- DSA *dsaparam = DSA_new(); -- if (dsaparam && DSA_generate_parameters_ex(dsaparam, req->priv_key_bits, NULL, 0, NULL, NULL, NULL)) { -- DSA_set_method(dsaparam, DSA_get_default_method()); -- if (DSA_generate_key(dsaparam)) { -- if (EVP_PKEY_assign_DSA(req->priv_key, dsaparam)) { -- return_val = req->priv_key; -- } else { -- php_openssl_store_errors(); -- } -- } else { -- php_openssl_store_errors(); -- DSA_free(dsaparam); -- } -- } else { -- php_openssl_store_errors(); -- } -- } -- break; -+ case EVP_PKEY_DSA: -+ if (EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, req->priv_key_bits) <= 0) { -+ php_openssl_store_errors(); -+ goto cleanup; -+ } -+ break; - #endif - #if !defined(NO_DH) -- case OPENSSL_KEYTYPE_DH: -- PHP_OPENSSL_RAND_ADD_TIME(); -- { -- int codes = 0; -- DH *dhparam = DH_new(); -- if (dhparam && DH_generate_parameters_ex(dhparam, req->priv_key_bits, 2, NULL)) { -- DH_set_method(dhparam, DH_get_default_method()); -- if (DH_check(dhparam, &codes) && codes == 0 && DH_generate_key(dhparam)) { -- if (EVP_PKEY_assign_DH(req->priv_key, dhparam)) { -- return_val = req->priv_key; -- } else { -- php_openssl_store_errors(); -- } -- } else { -- php_openssl_store_errors(); -- DH_free(dhparam); -- } -- } else { -- php_openssl_store_errors(); -- } -- } -- break; -+ case EVP_PKEY_DH: -+ if (EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, req->priv_key_bits) <= 0) { -+ php_openssl_store_errors(); -+ goto cleanup; -+ } -+ break; - #endif - #ifdef HAVE_EVP_PKEY_EC -- case OPENSSL_KEYTYPE_EC: -- { -- EC_KEY *eckey; -- if (req->curve_name == NID_undef) { -- php_error_docref(NULL, E_WARNING, "Missing configuration value: \"curve_name\" not set"); -- return NULL; -- } -- eckey = EC_KEY_new_by_curve_name(req->curve_name); -- if (eckey) { -- EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); -- if (EC_KEY_generate_key(eckey) && -- EVP_PKEY_assign_EC_KEY(req->priv_key, eckey)) { -- return_val = req->priv_key; -- } else { -- EC_KEY_free(eckey); -- } -- } -- } -- break; -+ case EVP_PKEY_EC: -+ if (req->curve_name == NID_undef) { -+ php_error_docref(NULL, E_WARNING, "Missing configuration value: \"curve_name\" not set"); -+ goto cleanup; -+ } -+ -+ if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, req->curve_name) <= 0 || -+ EVP_PKEY_CTX_set_ec_param_enc(ctx, OPENSSL_EC_NAMED_CURVE) <= 0) { -+ php_openssl_store_errors(); -+ goto cleanup; -+ } -+ break; - #endif -- default: -- php_error_docref(NULL, E_WARNING, "Unsupported private key type"); -+ EMPTY_SWITCH_DEFAULT_CASE() - } -- } else { -+ -+ if (EVP_PKEY_paramgen(ctx, ¶ms) <= 0) { -+ php_openssl_store_errors(); -+ goto cleanup; -+ } -+ -+ EVP_PKEY_CTX_free(ctx); -+ ctx = EVP_PKEY_CTX_new(params, NULL); -+ if (!ctx) { -+ php_openssl_store_errors(); -+ goto cleanup; -+ } -+ } -+ -+ if (EVP_PKEY_keygen_init(ctx) <= 0) { - php_openssl_store_errors(); -+ goto cleanup; - } - -- php_openssl_write_rand_file(randfile, egdsocket, seeded); -+ if (type == EVP_PKEY_RSA && EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, req->priv_key_bits) <= 0) { -+ php_openssl_store_errors(); -+ goto cleanup; -+ } - -- if (return_val == NULL) { -- EVP_PKEY_free(req->priv_key); -- req->priv_key = NULL; -- return NULL; -+ if (EVP_PKEY_keygen(ctx, &key) <= 0) { -+ php_openssl_store_errors(); -+ goto cleanup; - } - -- return return_val; -+ req->priv_key = key; -+ -+cleanup: -+ php_openssl_write_rand_file(randfile, egdsocket, seeded); -+ EVP_PKEY_free(params); -+ EVP_PKEY_CTX_free(ctx); -+ return key; - } - /* }}} */ - -diff --git a/ext/openssl/tests/bug80747.phpt b/ext/openssl/tests/bug80747.phpt -index 327c916688..12ae0ff0e1 100644 ---- a/ext/openssl/tests/bug80747.phpt -+++ b/ext/openssl/tests/bug80747.phpt -@@ -14,9 +14,7 @@ $conf = array( - 'private_key_bits' => 511, - ); - var_dump(openssl_pkey_new($conf)); --while ($e = openssl_error_string()) { -- echo $e, "\n"; --} -+echo openssl_error_string(), "\n"; - - ?> - --EXPECTF-- --- -2.31.1 - -From 8dfe551ef85a874df63d0bb50b2d065c3370fd7e Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Thu, 5 Aug 2021 11:50:11 +0200 -Subject: [PATCH 12/39] Relax error check - -The precise error is version-dependent, just check that there -is some kind of error reported. - -(cherry picked from commit cd8bf0b6bd23e03bdc8d069df53a2d976809a916) ---- - ext/openssl/tests/bug80747.phpt | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/ext/openssl/tests/bug80747.phpt b/ext/openssl/tests/bug80747.phpt -index 12ae0ff0e1..3f319b4b24 100644 ---- a/ext/openssl/tests/bug80747.phpt -+++ b/ext/openssl/tests/bug80747.phpt -@@ -14,9 +14,9 @@ $conf = array( - 'private_key_bits' => 511, - ); - var_dump(openssl_pkey_new($conf)); --echo openssl_error_string(), "\n"; -+var_dump(openssl_error_string() !== false); - - ?> ----EXPECTF-- -+--EXPECT-- - bool(false) --error:%s:key size too small -+bool(true) --- -2.31.1 - -From 44859f59f3ff3d7cf24ae146e9b0da348e6befcd Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Thu, 5 Aug 2021 12:59:13 +0200 -Subject: [PATCH 13/39] Store whether pkey object contains private key - -Rather than querying whether the EVP_PKEY contains private key -information, determine this at time of construction and store it -in the PHP object. - -OpenSSL doesn't provide an API for this purpose, and seems -somewhat reluctant to add one, see -https://github.com/openssl/openssl/issues/9467. - -To avoid using deprecated low-level APIs to determine whether -something is a private key ourselves, remember it at the point -of construction. - -(cherry picked from commit f878bbd96b34ac11fed66c895891570ef10b0dcb) ---- - ext/openssl/openssl.c | 155 +++++++++--------------------------------- - 1 file changed, 31 insertions(+), 124 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index d260670ff9..1fca64df15 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -201,6 +201,7 @@ static void php_openssl_request_free_obj(zend_object *object) - - typedef struct _php_openssl_pkey_object { - EVP_PKEY *pkey; -+ bool is_private; - zend_object std; - } php_openssl_pkey_object; - -@@ -224,6 +225,13 @@ static zend_object *php_openssl_pkey_create_object(zend_class_entry *class_type) - return &intern->std; - } - -+static void php_openssl_pkey_object_init(zval *zv, EVP_PKEY *pkey, bool is_private) { -+ object_init_ex(zv, php_openssl_pkey_ce); -+ php_openssl_pkey_object *obj = Z_OPENSSL_PKEY_P(zv); -+ obj->pkey = pkey; -+ obj->is_private = is_private; -+} -+ - static zend_function *php_openssl_pkey_get_constructor(zend_object *object) { - zend_throw_error(NULL, "Cannot directly construct OpenSSLAsymmetricKey, use openssl_pkey_new() instead"); - return NULL; -@@ -517,7 +525,6 @@ static X509 *php_openssl_x509_from_zval(zval *val, bool *free_cert); - static X509_REQ *php_openssl_csr_from_param(zend_object *csr_obj, zend_string *csr_str); - static EVP_PKEY *php_openssl_pkey_from_zval(zval *val, int public_key, char *passphrase, size_t passphrase_len); - --static int php_openssl_is_private_key(EVP_PKEY* pkey); - static X509_STORE * php_openssl_setup_verify(zval * calist); - static STACK_OF(X509) * php_openssl_load_all_certs_from_file(char *certfile); - static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req); -@@ -3362,11 +3369,8 @@ PHP_FUNCTION(openssl_csr_new) - if (we_made_the_key) { - /* and an object for the private key */ - zval zkey_object; -- php_openssl_pkey_object *key_object; -- object_init_ex(&zkey_object, php_openssl_pkey_ce); -- key_object = Z_OPENSSL_PKEY_P(&zkey_object); -- key_object->pkey = req.priv_key; -- -+ php_openssl_pkey_object_init( -+ &zkey_object, req.priv_key, /* is_private */ true); - ZEND_TRY_ASSIGN_REF_TMP(out_pkey, &zkey_object); - req.priv_key = NULL; /* make sure the cleanup code doesn't zap it! */ - } -@@ -3424,7 +3428,6 @@ PHP_FUNCTION(openssl_csr_get_public_key) - zend_string *csr_str; - zend_bool use_shortnames = 1; - -- php_openssl_pkey_object *key_object; - EVP_PKEY *tpubkey; - - ZEND_PARSE_PARAMETERS_START(1, 2) -@@ -3467,9 +3470,7 @@ PHP_FUNCTION(openssl_csr_get_public_key) - RETURN_FALSE; - } - -- object_init_ex(return_value, php_openssl_pkey_ce); -- key_object = Z_OPENSSL_PKEY_P(return_value); -- key_object->pkey = tpubkey; -+ php_openssl_pkey_object_init(return_value, tpubkey, /* is_private */ false); - } - /* }}} */ - -@@ -3545,10 +3546,9 @@ static EVP_PKEY *php_openssl_pkey_from_zval(zval *val, int public_key, char *pas - } - - if (Z_TYPE_P(val) == IS_OBJECT && Z_OBJCE_P(val) == php_openssl_pkey_ce) { -- int is_priv; -- -- key = php_openssl_pkey_from_obj(Z_OBJ_P(val))->pkey; -- is_priv = php_openssl_is_private_key(key); -+ php_openssl_pkey_object *obj = php_openssl_pkey_from_obj(Z_OBJ_P(val)); -+ key = obj->pkey; -+ bool is_priv = obj->is_private; - - /* check whether it is actually a private key if requested */ - if (!public_key && !is_priv) { -@@ -3783,85 +3783,6 @@ cleanup: - } - /* }}} */ - --/* {{{ php_openssl_is_private_key -- Check whether the supplied key is a private key by checking if the secret prime factors are set */ --static int php_openssl_is_private_key(EVP_PKEY* pkey) --{ -- assert(pkey != NULL); -- -- switch (EVP_PKEY_id(pkey)) { -- case EVP_PKEY_RSA: -- case EVP_PKEY_RSA2: -- { -- RSA *rsa = EVP_PKEY_get0_RSA(pkey); -- if (rsa != NULL) { -- const BIGNUM *p, *q; -- -- RSA_get0_factors(rsa, &p, &q); -- if (p == NULL || q == NULL) { -- return 0; -- } -- } -- } -- break; -- case EVP_PKEY_DSA: -- case EVP_PKEY_DSA1: -- case EVP_PKEY_DSA2: -- case EVP_PKEY_DSA3: -- case EVP_PKEY_DSA4: -- { -- DSA *dsa = EVP_PKEY_get0_DSA(pkey); -- if (dsa != NULL) { -- const BIGNUM *p, *q, *g, *pub_key, *priv_key; -- -- DSA_get0_pqg(dsa, &p, &q, &g); -- if (p == NULL || q == NULL) { -- return 0; -- } -- -- DSA_get0_key(dsa, &pub_key, &priv_key); -- if (priv_key == NULL) { -- return 0; -- } -- } -- } -- break; -- case EVP_PKEY_DH: -- { -- DH *dh = EVP_PKEY_get0_DH(pkey); -- if (dh != NULL) { -- const BIGNUM *p, *q, *g, *pub_key, *priv_key; -- -- DH_get0_pqg(dh, &p, &q, &g); -- if (p == NULL) { -- return 0; -- } -- -- DH_get0_key(dh, &pub_key, &priv_key); -- if (priv_key == NULL) { -- return 0; -- } -- } -- } -- break; --#ifdef HAVE_EVP_PKEY_EC -- case EVP_PKEY_EC: -- { -- EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); -- if (ec != NULL && NULL == EC_KEY_get0_private_key(ec)) { -- return 0; -- } -- } -- break; --#endif -- default: -- php_error_docref(NULL, E_WARNING, "Key type not supported in this PHP build!"); -- break; -- } -- return 1; --} --/* }}} */ -- - #define OPENSSL_GET_BN(_array, _bn, _name) do { \ - if (_bn != NULL) { \ - int len = BN_num_bytes(_bn); \ -@@ -3920,7 +3841,7 @@ static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, - } - - /* {{{ php_openssl_pkey_init_dsa */ --static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data) -+static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data, bool *is_private) - { - BIGNUM *p, *q, *g, *priv_key, *pub_key; - const BIGNUM *priv_key_const, *pub_key_const; -@@ -3934,6 +3855,7 @@ static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data) - - OPENSSL_PKEY_SET_BN(data, pub_key); - OPENSSL_PKEY_SET_BN(data, priv_key); -+ *is_private = priv_key != NULL; - if (pub_key) { - return DSA_set0_key(dsa, pub_key, priv_key); - } -@@ -3998,7 +3920,7 @@ static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM - /* }}} */ - - /* {{{ php_openssl_pkey_init_dh */ --static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data) -+static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data, bool *is_private) - { - BIGNUM *p, *q, *g, *priv_key, *pub_key; - -@@ -4011,6 +3933,7 @@ static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data) - - OPENSSL_PKEY_SET_BN(data, priv_key); - OPENSSL_PKEY_SET_BN(data, pub_key); -+ *is_private = priv_key != NULL; - if (pub_key) { - return DH_set0_key(dh, pub_key, priv_key); - } -@@ -4039,7 +3962,6 @@ PHP_FUNCTION(openssl_pkey_new) - struct php_x509_request req; - zval * args = NULL; - zval *data; -- php_openssl_pkey_object *key_object; - - if (zend_parse_parameters(ZEND_NUM_ARGS(), "|a!", &args) == FAILURE) { - RETURN_THROWS(); -@@ -4056,9 +3978,7 @@ PHP_FUNCTION(openssl_pkey_new) - RSA *rsa = RSA_new(); - if (rsa) { - if (php_openssl_pkey_init_and_assign_rsa(pkey, rsa, data)) { -- object_init_ex(return_value, php_openssl_pkey_ce); -- key_object = Z_OPENSSL_PKEY_P(return_value); -- key_object->pkey = pkey; -+ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true); - return; - } - RSA_free(rsa); -@@ -4076,11 +3996,10 @@ PHP_FUNCTION(openssl_pkey_new) - if (pkey) { - DSA *dsa = DSA_new(); - if (dsa) { -- if (php_openssl_pkey_init_dsa(dsa, data)) { -+ bool is_private; -+ if (php_openssl_pkey_init_dsa(dsa, data, &is_private)) { - if (EVP_PKEY_assign_DSA(pkey, dsa)) { -- object_init_ex(return_value, php_openssl_pkey_ce); -- key_object = Z_OPENSSL_PKEY_P(return_value); -- key_object->pkey = pkey; -+ php_openssl_pkey_object_init(return_value, pkey, is_private); - return; - } else { - php_openssl_store_errors(); -@@ -4101,13 +4020,10 @@ PHP_FUNCTION(openssl_pkey_new) - if (pkey) { - DH *dh = DH_new(); - if (dh) { -- if (php_openssl_pkey_init_dh(dh, data)) { -+ bool is_private; -+ if (php_openssl_pkey_init_dh(dh, data, &is_private)) { - if (EVP_PKEY_assign_DH(pkey, dh)) { -- php_openssl_pkey_object *key_object; -- -- object_init_ex(return_value, php_openssl_pkey_ce); -- key_object = Z_OPENSSL_PKEY_P(return_value); -- key_object->pkey = pkey; -+ php_openssl_pkey_object_init(return_value, pkey, is_private); - return; - } else { - php_openssl_store_errors(); -@@ -4133,6 +4049,7 @@ PHP_FUNCTION(openssl_pkey_new) - if (pkey) { - eckey = EC_KEY_new(); - if (eckey) { -+ bool is_private = false; - EC_GROUP *group = NULL; - zval *bn; - zval *x; -@@ -4164,6 +4081,7 @@ PHP_FUNCTION(openssl_pkey_new) - // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y' - if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL && - Z_TYPE_P(bn) == IS_STRING) { -+ is_private = true; - d = BN_bin2bn((unsigned char*) Z_STRVAL_P(bn), Z_STRLEN_P(bn), NULL); - if (!EC_KEY_set_private_key(eckey, d)) { - php_openssl_store_errors(); -@@ -4211,10 +4129,7 @@ PHP_FUNCTION(openssl_pkey_new) - } - if (EC_KEY_check_key(eckey) && EVP_PKEY_assign_EC_KEY(pkey, eckey)) { - EC_GROUP_free(group); -- -- object_init_ex(return_value, php_openssl_pkey_ce); -- key_object = Z_OPENSSL_PKEY_P(return_value); -- key_object->pkey = pkey; -+ php_openssl_pkey_object_init(return_value, pkey, is_private); - return; - } else { - php_openssl_store_errors(); -@@ -4249,9 +4164,7 @@ clean_exit: - if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) { - if (php_openssl_generate_private_key(&req)) { - /* pass back a key resource */ -- object_init_ex(return_value, php_openssl_pkey_ce); -- key_object = Z_OPENSSL_PKEY_P(return_value); -- key_object->pkey = req.priv_key; -+ php_openssl_pkey_object_init(return_value, req.priv_key, /* is_private */ true); - /* make sure the cleanup code doesn't zap it! */ - req.priv_key = NULL; - } -@@ -4424,7 +4337,6 @@ PHP_FUNCTION(openssl_pkey_get_public) - { - zval *cert; - EVP_PKEY *pkey; -- php_openssl_pkey_object *key_object; - - if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &cert) == FAILURE) { - RETURN_THROWS(); -@@ -4434,9 +4346,7 @@ PHP_FUNCTION(openssl_pkey_get_public) - RETURN_FALSE; - } - -- object_init_ex(return_value, php_openssl_pkey_ce); -- key_object = Z_OPENSSL_PKEY_P(return_value); -- key_object->pkey = pkey; -+ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ false); - } - /* }}} */ - -@@ -4458,7 +4368,6 @@ PHP_FUNCTION(openssl_pkey_get_private) - EVP_PKEY *pkey; - char * passphrase = ""; - size_t passphrase_len = sizeof("")-1; -- php_openssl_pkey_object *key_object; - - if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|s!", &cert, &passphrase, &passphrase_len) == FAILURE) { - RETURN_THROWS(); -@@ -4473,9 +4382,7 @@ PHP_FUNCTION(openssl_pkey_get_private) - RETURN_FALSE; - } - -- object_init_ex(return_value, php_openssl_pkey_ce); -- key_object = Z_OPENSSL_PKEY_P(return_value); -- key_object->pkey = pkey; -+ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true); - } - - /* }}} */ --- -2.31.1 - -From c58ef46342a52c8b81ee6f727257a2b471b6d9c3 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Thu, 5 Aug 2021 14:59:16 +0200 -Subject: [PATCH 14/39] Add test for openssl_dh_compute_key() - -This function was not tested at all :( - -(cherry picked from commit 7168f71e00676172e7fcf710adfc07eccd6714e6) ---- - ext/openssl/tests/openssl_dh_compute_key.phpt | 29 +++++++++++++++++++ - 1 file changed, 29 insertions(+) - create mode 100644 ext/openssl/tests/openssl_dh_compute_key.phpt - -diff --git a/ext/openssl/tests/openssl_dh_compute_key.phpt b/ext/openssl/tests/openssl_dh_compute_key.phpt -new file mode 100644 -index 0000000000..8730f4b57d ---- /dev/null -+++ b/ext/openssl/tests/openssl_dh_compute_key.phpt -@@ -0,0 +1,29 @@ -+--TEST-- -+openssl_dh_compute_key() -+--FILE-- -+ -+--EXPECT-- -+b0049944fa5d36f364dd02e675dde50f8c2d67481c5cf0fe2f248d383eec1d38c23d5ed2644fbef2676bcd6ce148361ca82619c8f93e10506cb89d0a1bdaa0f0bc6f68cef0f7cb6d97d43e8dda3c7a5c5a98ebd2342a605ce530fd46a0602d28d4afc48e92088d0bc42194ca8682a85317f812d81b86cd284eed405df2f76aae84ccd560856e8a3d0ce4f591394bca02eb8a1984ebb41bb19714fb8b579bcafd36a9051d51d075f66229893289d8a0c918bfd222f17803cc532d2cf93bb2a567953323ca409beb3237faae9c6fdfc671594324953badd07dd4770ee09fd19f90045654c5709e92aa614b83594c2f62a8bc3c7e786e54bc1259a0a737c70dd4cc --- -2.31.1 - -From fbb478f86081d4d879d1ed644c37842e0d9b1192 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Thu, 5 Aug 2021 14:52:56 +0200 -Subject: [PATCH 15/39] Extract php_openssl_pkey_derive() function - -To allow sharing it with the openssl_dh_compute_key() implementation. - -(cherry picked from commit c6542b2a1e431e7fa980bd97c696c8c48fb58dc3) ---- - ext/openssl/openssl.c | 77 +++++++++++++++++++++++-------------------- - 1 file changed, 41 insertions(+), 36 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 1fca64df15..bf3f70d355 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -4560,6 +4560,34 @@ PHP_FUNCTION(openssl_pkey_get_details) - } - /* }}} */ - -+static zend_string *php_openssl_pkey_derive(EVP_PKEY *key, EVP_PKEY *peer_key, size_t key_size) { -+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(key, NULL); -+ if (!ctx) { -+ return NULL; -+ } -+ -+ if (EVP_PKEY_derive_init(ctx) <= 0 || -+ EVP_PKEY_derive_set_peer(ctx, peer_key) <= 0 || -+ (key_size == 0 && EVP_PKEY_derive(ctx, NULL, &key_size) <= 0)) { -+ php_openssl_store_errors(); -+ EVP_PKEY_CTX_free(ctx); -+ return NULL; -+ } -+ -+ zend_string *result = zend_string_alloc(key_size, 0); -+ if (EVP_PKEY_derive(ctx, (unsigned char *)ZSTR_VAL(result), &key_size) <= 0) { -+ php_openssl_store_errors(); -+ zend_string_release_ex(result, 0); -+ EVP_PKEY_CTX_free(ctx); -+ return NULL; -+ } -+ -+ ZSTR_LEN(result) = key_size; -+ ZSTR_VAL(result)[key_size] = 0; -+ EVP_PKEY_CTX_free(ctx); -+ return result; -+} -+ - /* {{{ Computes shared secret for public value of remote DH key and local DH key */ - PHP_FUNCTION(openssl_dh_compute_key) - { -@@ -4567,7 +4595,6 @@ PHP_FUNCTION(openssl_dh_compute_key) - char *pub_str; - size_t pub_len; - DH *dh; -- EVP_PKEY *pkey; - BIGNUM *pub; - zend_string *data; - int len; -@@ -4578,11 +4605,12 @@ PHP_FUNCTION(openssl_dh_compute_key) - - PHP_OPENSSL_CHECK_SIZE_T_TO_INT(pub_len, pub_key, 1); - -- pkey = Z_OPENSSL_PKEY_P(key)->pkey; -+ EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey; - - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) { - RETURN_FALSE; - } -+ - dh = EVP_PKEY_get0_DH(pkey); - if (dh == NULL) { - RETURN_FALSE; -@@ -4612,59 +4640,36 @@ PHP_FUNCTION(openssl_pkey_derive) - { - zval *priv_key; - zval *peer_pub_key; -- EVP_PKEY *pkey = NULL; -- EVP_PKEY *peer_key = NULL; -- EVP_PKEY_CTX *ctx = NULL; -- size_t key_size; - zend_long key_len = 0; -- zend_string *result; - - if (zend_parse_parameters(ZEND_NUM_ARGS(), "zz|l", &peer_pub_key, &priv_key, &key_len) == FAILURE) { - RETURN_THROWS(); - } - -- RETVAL_FALSE; - if (key_len < 0) { - zend_argument_value_error(3, "must be greater than or equal to 0"); - RETURN_THROWS(); - } - -- key_size = key_len; -- pkey = php_openssl_pkey_from_zval(priv_key, 0, "", 0); -+ EVP_PKEY *pkey = php_openssl_pkey_from_zval(priv_key, 0, "", 0); - if (!pkey) { -- goto cleanup; -+ RETURN_FALSE; - } - -- peer_key = php_openssl_pkey_from_zval(peer_pub_key, 1, NULL, 0); -+ EVP_PKEY *peer_key = php_openssl_pkey_from_zval(peer_pub_key, 1, NULL, 0); - if (!peer_key) { -- goto cleanup; -- } -- -- ctx = EVP_PKEY_CTX_new(pkey, NULL); -- if (!ctx) { -- goto cleanup; -- } -- -- if (EVP_PKEY_derive_init(ctx) > 0 -- && EVP_PKEY_derive_set_peer(ctx, peer_key) > 0 -- && (key_size > 0 || EVP_PKEY_derive(ctx, NULL, &key_size) > 0) -- && (result = zend_string_alloc(key_size, 0)) != NULL) { -- if (EVP_PKEY_derive(ctx, (unsigned char*)ZSTR_VAL(result), &key_size) > 0) { -- ZSTR_LEN(result) = key_size; -- ZSTR_VAL(result)[key_size] = 0; -- RETVAL_NEW_STR(result); -- } else { -- php_openssl_store_errors(); -- zend_string_release_ex(result, 0); -- RETVAL_FALSE; -- } -+ EVP_PKEY_free(pkey); -+ RETURN_FALSE; - } - --cleanup: -+ zend_string *result = php_openssl_pkey_derive(pkey, peer_key, key_len); - EVP_PKEY_free(pkey); - EVP_PKEY_free(peer_key); -- if (ctx) { -- EVP_PKEY_CTX_free(ctx); -+ -+ if (result) { -+ RETURN_NEW_STR(result); -+ } else { -+ RETURN_FALSE; - } - } - /* }}} */ --- -2.31.1 - -From f8f202ae92bf2c92cec4ad8d6bf2f57236ccd976 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Thu, 5 Aug 2021 15:58:20 +0200 -Subject: [PATCH 16/39] Avoid DH_compute_key() with OpenSSL 3 - -Instead construct a proper EVP_PKEY for the public key and -perform a derive operation. - -Unfortunately we can't use a common code path here, because -EVP_PKEY_set1_encoded_public_key() formerly known as -EVP_PKEY_set1_tls_encodedpoint() does not appear to work with -DH keys prior to OpenSSL 3. - -(cherry picked from commit cb48260fdd7e8a5a636e68917eca484530af5c94) ---- - ext/openssl/openssl.c | 64 +++++++++++++++++++++++++++---------------- - 1 file changed, 40 insertions(+), 24 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index bf3f70d355..91d2589aad 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -4588,16 +4588,48 @@ static zend_string *php_openssl_pkey_derive(EVP_PKEY *key, EVP_PKEY *peer_key, s - return result; - } - -+static zend_string *php_openssl_dh_compute_key(EVP_PKEY *pkey, char *pub_str, size_t pub_len) { -+#if PHP_OPENSSL_API_VERSION >= 0x30000 -+ EVP_PKEY *peer_key = EVP_PKEY_new(); -+ if (!peer_key || EVP_PKEY_copy_parameters(peer_key, pkey) <= 0 || -+ EVP_PKEY_set1_encoded_public_key(peer_key, (unsigned char *) pub_str, pub_len) <= 0) { -+ php_openssl_store_errors(); -+ EVP_PKEY_free(peer_key); -+ return NULL; -+ } -+ -+ zend_string *result = php_openssl_pkey_derive(pkey, peer_key, 0); -+ EVP_PKEY_free(peer_key); -+ return result; -+#else -+ DH *dh = EVP_PKEY_get0_DH(pkey); -+ if (dh == NULL) { -+ return NULL; -+ } -+ -+ BIGNUM *pub = BN_bin2bn((unsigned char*)pub_str, (int)pub_len, NULL); -+ zend_string *data = zend_string_alloc(DH_size(dh), 0); -+ int len = DH_compute_key((unsigned char*)ZSTR_VAL(data), pub, dh); -+ BN_free(pub); -+ -+ if (len < 0) { -+ php_openssl_store_errors(); -+ zend_string_release_ex(data, 0); -+ return NULL; -+ } -+ -+ ZSTR_LEN(data) = len; -+ ZSTR_VAL(data)[len] = 0; -+ return data; -+#endif -+} -+ - /* {{{ Computes shared secret for public value of remote DH key and local DH key */ - PHP_FUNCTION(openssl_dh_compute_key) - { - zval *key; - char *pub_str; - size_t pub_len; -- DH *dh; -- BIGNUM *pub; -- zend_string *data; -- int len; - - if (zend_parse_parameters(ZEND_NUM_ARGS(), "sO", &pub_str, &pub_len, &key, php_openssl_pkey_ce) == FAILURE) { - RETURN_THROWS(); -@@ -4606,32 +4638,16 @@ PHP_FUNCTION(openssl_dh_compute_key) - PHP_OPENSSL_CHECK_SIZE_T_TO_INT(pub_len, pub_key, 1); - - EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey; -- - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) { - RETURN_FALSE; - } - -- dh = EVP_PKEY_get0_DH(pkey); -- if (dh == NULL) { -- RETURN_FALSE; -- } -- -- pub = BN_bin2bn((unsigned char*)pub_str, (int)pub_len, NULL); -- -- data = zend_string_alloc(DH_size(dh), 0); -- len = DH_compute_key((unsigned char*)ZSTR_VAL(data), pub, dh); -- -- if (len >= 0) { -- ZSTR_LEN(data) = len; -- ZSTR_VAL(data)[len] = 0; -- RETVAL_NEW_STR(data); -+ zend_string *result = php_openssl_dh_compute_key(pkey, pub_str, pub_len); -+ if (result) { -+ RETURN_NEW_STR(result); - } else { -- php_openssl_store_errors(); -- zend_string_release_ex(data, 0); -- RETVAL_FALSE; -+ RETURN_FALSE; - } -- -- BN_free(pub); - } - /* }}} */ - --- -2.31.1 - -From fbb13f6bf183f1d2d95fe2aa48edce300aad5fd7 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Wed, 4 Aug 2021 14:54:59 +0200 -Subject: [PATCH 17/39] Use different algorithm in pkcs7 tests - -The default of OPENSSL_CIPHER_RC2_40 is no longer (non-legacy) -supported in OpenSSL 3, specify a newer cipher instead. - -We should probably either change the default (if acceptable) or -make the parameter required. - -(cherry picked from commit 563b3e3472d7c5e3502fb49ef023b6e18ed0f22a) ---- - .../tests/openssl_pkcs7_decrypt_basic.phpt | 3 ++- - .../tests/openssl_pkcs7_encrypt_basic.phpt | 23 ++++++++++--------- - 2 files changed, 14 insertions(+), 12 deletions(-) - -diff --git a/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt b/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt -index eb0698da9f..0d4da7a251 100644 ---- a/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt -+++ b/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt -@@ -19,8 +19,9 @@ $single_cert = "file://" . __DIR__ . "/cert.crt"; - $headers = array("test@test", "testing openssl_pkcs7_encrypt()"); - $wrong = "wrong"; - $empty = ""; -+$cipher = OPENSSL_CIPHER_AES_128_CBC; - --openssl_pkcs7_encrypt($infile, $encrypted, $single_cert, $headers); -+openssl_pkcs7_encrypt($infile, $encrypted, $single_cert, $headers, 0, $cipher); - var_dump(openssl_pkcs7_decrypt($encrypted, $outfile, $single_cert, $privkey)); - var_dump(openssl_pkcs7_decrypt($encrypted, $outfile, openssl_x509_read($single_cert), $privkey)); - var_dump(openssl_pkcs7_decrypt($encrypted, $outfile, $single_cert, $wrong)); -diff --git a/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt b/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt -index ef9b25e70b..7a600bc292 100644 ---- a/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt -+++ b/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt -@@ -20,19 +20,20 @@ $headers = array("test@test", "testing openssl_pkcs7_encrypt()"); - $empty_headers = array(); - $wrong = "wrong"; - $empty = ""; -+$cipher = OPENSSL_CIPHER_AES_128_CBC; - --var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $headers)); --var_dump(openssl_pkcs7_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers)); -+var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $headers, 0, $cipher)); -+var_dump(openssl_pkcs7_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers, 0, $cipher)); - var_dump(openssl_pkcs7_decrypt($outfile, $outfile2, $single_cert, $privkey)); --var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $assoc_headers)); --var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $empty_headers)); --var_dump(openssl_pkcs7_encrypt($wrong, $outfile, $single_cert, $headers)); --var_dump(openssl_pkcs7_encrypt($empty, $outfile, $single_cert, $headers)); --var_dump(openssl_pkcs7_encrypt($infile, $empty, $single_cert, $headers)); --var_dump(openssl_pkcs7_encrypt($infile, $outfile, $wrong, $headers)); --var_dump(openssl_pkcs7_encrypt($infile, $outfile, $empty, $headers)); --var_dump(openssl_pkcs7_encrypt($infile, $outfile, $multi_certs, $headers)); --var_dump(openssl_pkcs7_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs) , $headers)); -+var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $assoc_headers, 0, $cipher)); -+var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $empty_headers, 0, $cipher)); -+var_dump(openssl_pkcs7_encrypt($wrong, $outfile, $single_cert, $headers, 0, $cipher)); -+var_dump(openssl_pkcs7_encrypt($empty, $outfile, $single_cert, $headers, 0, $cipher)); -+var_dump(openssl_pkcs7_encrypt($infile, $empty, $single_cert, $headers, 0, $cipher)); -+var_dump(openssl_pkcs7_encrypt($infile, $outfile, $wrong, $headers, 0, $cipher)); -+var_dump(openssl_pkcs7_encrypt($infile, $outfile, $empty, $headers, 0, $cipher)); -+var_dump(openssl_pkcs7_encrypt($infile, $outfile, $multi_certs, $headers, 0, $cipher)); -+var_dump(openssl_pkcs7_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs), $headers, 0, $cipher)); - - if (file_exists($outfile)) { - echo "true\n"; --- -2.31.1 - -From e6d9c6b6cfcc255124bb42b409c29db854ff828d Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Thu, 5 Aug 2021 16:30:55 +0200 -Subject: [PATCH 18/39] Use different algorithm in cms tests - -Same as with pkcs7, switch these tests to use an algorithm that -OpenSSL 3 supports out of the box. - -Once again, we should consider changing the default or making it -required. - -(cherry picked from commit ec4d926a80fe93c80d2b52f0178bc627097d9288) ---- - ext/openssl/tests/openssl_cms_decrypt_basic.phpt | 3 ++- - ext/openssl/tests/openssl_cms_encrypt_der.phpt | 3 ++- - ext/openssl/tests/openssl_cms_encrypt_pem.phpt | 3 ++- - 3 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/ext/openssl/tests/openssl_cms_decrypt_basic.phpt b/ext/openssl/tests/openssl_cms_decrypt_basic.phpt -index 86c70f4fde..709194ec05 100644 ---- a/ext/openssl/tests/openssl_cms_decrypt_basic.phpt -+++ b/ext/openssl/tests/openssl_cms_decrypt_basic.phpt -@@ -15,8 +15,9 @@ $single_cert = "file://" . __DIR__ . "/cert.crt"; - $headers = array("test@test", "testing openssl_cms_encrypt()"); - $wrong = "wrong"; - $empty = ""; -+$cipher = OPENSSL_CIPHER_AES_128_CBC; - --openssl_cms_encrypt($infile, $encrypted, $single_cert, $headers); -+openssl_cms_encrypt($infile, $encrypted, $single_cert, $headers, cipher_algo: $cipher); - - var_dump(openssl_cms_decrypt($encrypted, $outfile, $single_cert, $privkey)); - print("\nDecrypted text:\n"); -diff --git a/ext/openssl/tests/openssl_cms_encrypt_der.phpt b/ext/openssl/tests/openssl_cms_encrypt_der.phpt -index e7aa8f4dad..06bfcabeb4 100644 ---- a/ext/openssl/tests/openssl_cms_encrypt_der.phpt -+++ b/ext/openssl/tests/openssl_cms_encrypt_der.phpt -@@ -14,8 +14,9 @@ $decryptfile = $tname . ".out"; - $single_cert = "file://" . __DIR__ . "/cert.crt"; - $privkey = "file://" . __DIR__ . "/private_rsa_1024.key"; - $headers = array("test@test", "testing openssl_cms_encrypt()"); -+$cipher = OPENSSL_CIPHER_AES_128_CBC; - --var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_DER)); -+var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_DER, $cipher)); - if (openssl_cms_decrypt($cryptfile, $decryptfile, $single_cert, $privkey, OPENSSL_ENCODING_DER) == false) { - print "DER decrypt error\n"; - print "recipient:\n"; -diff --git a/ext/openssl/tests/openssl_cms_encrypt_pem.phpt b/ext/openssl/tests/openssl_cms_encrypt_pem.phpt -index 929f3f2e02..4030862391 100644 ---- a/ext/openssl/tests/openssl_cms_encrypt_pem.phpt -+++ b/ext/openssl/tests/openssl_cms_encrypt_pem.phpt -@@ -14,8 +14,9 @@ $decryptfile = $tname . ".pemout"; - $single_cert = "file://" . __DIR__ . "/cert.crt"; - $privkey = "file://" . __DIR__ . "/private_rsa_1024.key"; - $headers = array("test@test", "testing openssl_cms_encrypt()"); -+$cipher = OPENSSL_CIPHER_AES_128_CBC; - --var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_PEM)); -+var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_PEM, $cipher)); - if (openssl_cms_decrypt($cryptfile, $decryptfile, $single_cert, $privkey, OPENSSL_ENCODING_PEM) == false) { - print "PEM decrypt error\n"; - print "recipient:\n"; --- -2.31.1 - -From 31e60d155d01253ab42f490fecd0f2a5e537bc47 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Thu, 5 Aug 2021 17:07:44 +0200 -Subject: [PATCH 19/39] Use larger key size for DSA/DH tests - -OpenSSL 3 validates allowed sizes strictly, pick minimum sizes -that are supported. - -(cherry picked from commit 1cf4fb739f7a4fa8404a4c0958f13d04eae519d4) ---- - ext/openssl/tests/bug73711.cnf | 3 --- - ext/openssl/tests/bug73711.phpt | 11 ++++++++--- - 2 files changed, 8 insertions(+), 6 deletions(-) - delete mode 100644 ext/openssl/tests/bug73711.cnf - -diff --git a/ext/openssl/tests/bug73711.cnf b/ext/openssl/tests/bug73711.cnf -deleted file mode 100644 -index 0d27d910d4..0000000000 ---- a/ext/openssl/tests/bug73711.cnf -+++ /dev/null -@@ -1,3 +0,0 @@ --[ req ] --default_bits = 384 -- -diff --git a/ext/openssl/tests/bug73711.phpt b/ext/openssl/tests/bug73711.phpt -index 0b3f91b8fe..4e4bba8aa8 100644 ---- a/ext/openssl/tests/bug73711.phpt -+++ b/ext/openssl/tests/bug73711.phpt -@@ -6,9 +6,14 @@ if (!extension_loaded("openssl")) die("skip openssl not loaded"); - ?> - --FILE-- - OPENSSL_KEYTYPE_DSA, 'config' => $cnf])); --var_dump(openssl_pkey_new(["private_key_type" => OPENSSL_KEYTYPE_DH, 'config' => $cnf])); -+var_dump(openssl_pkey_new([ -+ "private_key_type" => OPENSSL_KEYTYPE_DSA, -+ "private_key_bits" => 1024, -+])); -+var_dump(openssl_pkey_new([ -+ "private_key_type" => OPENSSL_KEYTYPE_DH, -+ "private_key_bits" => 512, -+])); - echo "DONE"; - ?> - --EXPECTF-- --- -2.31.1 - -From b93f08093684d24a80857fec7ede1c41f440cff5 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Wed, 4 Aug 2021 13:54:26 +0200 -Subject: [PATCH 20/39] Skip some tests if cipher not available - -(cherry picked from commit d23a8b33abc3cd7e516563877a3f698b7a94ac10) ---- - ext/openssl/tests/bug71917.phpt | 1 + - ext/openssl/tests/bug72362.phpt | 1 + - ext/openssl/tests/openssl_decrypt_basic.phpt | 15 ++++++++++----- - 3 files changed, 12 insertions(+), 5 deletions(-) - -diff --git a/ext/openssl/tests/bug71917.phpt b/ext/openssl/tests/bug71917.phpt -index a68cf0162c..0cc518c4ef 100644 ---- a/ext/openssl/tests/bug71917.phpt -+++ b/ext/openssl/tests/bug71917.phpt -@@ -3,6 +3,7 @@ Bug #71917: openssl_open() returns junk on envelope < 16 bytes - --SKIPIF-- - - --FILE-- - - --FILE-- - -Date: Thu, 5 Aug 2021 16:29:43 +0200 -Subject: [PATCH 21/39] Use different cipher in one more CMS test - -Followup to ec4d926a80fe93c80d2b52f0178bc627097d9288 -- I failed -to squash in this commit. - -(cherry picked from commit a2c201351b32b1a7c44f6c6692c2a9fca9179e17) ---- - .../tests/openssl_cms_encrypt_basic.phpt | 23 ++++++++++--------- - 1 file changed, 12 insertions(+), 11 deletions(-) - -diff --git a/ext/openssl/tests/openssl_cms_encrypt_basic.phpt b/ext/openssl/tests/openssl_cms_encrypt_basic.phpt -index f1a0c6af8b..ee706ebfba 100644 ---- a/ext/openssl/tests/openssl_cms_encrypt_basic.phpt -+++ b/ext/openssl/tests/openssl_cms_encrypt_basic.phpt -@@ -18,20 +18,21 @@ $headers = array("test@test", "testing openssl_cms_encrypt()"); - $empty_headers = array(); - $wrong = "wrong"; - $empty = ""; -+$cipher = OPENSSL_CIPHER_AES_128_CBC; - --var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $headers)); --var_dump(openssl_cms_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers)); -+var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $headers, cipher_algo: $cipher)); -+var_dump(openssl_cms_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers, cipher_algo: $cipher)); - var_dump(openssl_cms_decrypt($outfile, $outfile2, $single_cert, $privkey)); - readfile($outfile2); --var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $assoc_headers)); --var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $empty_headers)); --var_dump(openssl_cms_encrypt($wrong, $outfile, $single_cert, $headers)); --var_dump(openssl_cms_encrypt($empty, $outfile, $single_cert, $headers)); --var_dump(openssl_cms_encrypt($infile, $empty, $single_cert, $headers)); --var_dump(openssl_cms_encrypt($infile, $outfile, $wrong, $headers)); --var_dump(openssl_cms_encrypt($infile, $outfile, $empty, $headers)); --var_dump(openssl_cms_encrypt($infile, $outfile, $multi_certs, $headers)); --var_dump(openssl_cms_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs) , $headers)); -+var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $assoc_headers, cipher_algo: $cipher)); -+var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $empty_headers, cipher_algo: $cipher)); -+var_dump(openssl_cms_encrypt($wrong, $outfile, $single_cert, $headers, cipher_algo: $cipher)); -+var_dump(openssl_cms_encrypt($empty, $outfile, $single_cert, $headers, cipher_algo: $cipher)); -+var_dump(openssl_cms_encrypt($infile, $empty, $single_cert, $headers, cipher_algo: $cipher)); -+var_dump(openssl_cms_encrypt($infile, $outfile, $wrong, $headers, cipher_algo: $cipher)); -+var_dump(openssl_cms_encrypt($infile, $outfile, $empty, $headers, cipher_algo: $cipher)); -+var_dump(openssl_cms_encrypt($infile, $outfile, $multi_certs, $headers, cipher_algo: $cipher)); -+var_dump(openssl_cms_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs), $headers, cipher_algo: $cipher)); - - if (file_exists($outfile)) { - echo "true\n"; --- -2.31.1 - -From c42a69def274fb77cbcb3db4189841e3f582803a Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Fri, 6 Aug 2021 10:35:49 +0200 -Subject: [PATCH 22/39] Generate pkcs12_read test inputs on the fly - -The old p12_with_extra_certs.p12 file uses an unsupported something. - -(cherry picked from commit 5843ba518cfb9ac6ae6d6a69629239cbf77d4cfb) ---- - ext/openssl/tests/bug74022_2.phpt | 10 ++-- - .../tests/openssl_pkcs12_read_basic.phpt | 46 ++++++++++-------- - ext/openssl/tests/p12_with_extra_certs.p12 | Bin 3205 -> 0 bytes - 3 files changed, 31 insertions(+), 25 deletions(-) - delete mode 100644 ext/openssl/tests/p12_with_extra_certs.p12 - -diff --git a/ext/openssl/tests/bug74022_2.phpt b/ext/openssl/tests/bug74022_2.phpt -index 5df37fb3c9..9c38387157 100644 ---- a/ext/openssl/tests/bug74022_2.phpt -+++ b/ext/openssl/tests/bug74022_2.phpt -@@ -12,11 +12,13 @@ function test($p12_contents, $password) { - var_dump(count($cert_data['extracerts'])); - } - --$p12_base64 = 'MIIW+QIBAzCCFr8GCSqGSIb3DQEHAaCCFrAEghasMIIWqDCCEV8GCSqGSIb3DQEHBqCCEVAwghFMAgEAMIIRRQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIQOfCxIAgGIICAggAgIIRGFTkvHpJjCtFjukXYVlhyOIqKiS8Zvg84dX244hhI0S51Uyn/tlXM2GD/3hDNVxcVKwP/fKN21lEkoXoK4h2/5BY3qCdZa3Ef3vk44b/+FGCUAqvsOo1ZjD2P/sBGhLu3aFnQ6ktUXlKV4cnqhlF62AqY4e5efQzmJXn+gI8cSNI5c+qQ0RQgGoRY4nJfvMSZG0/DAkirjGikU/2TZd8LwLkxVUBYbF5/T0fNtA3o99+4tF+8ZRv6ArYjplRdwcBbMbzGhn3ytCq6cmVid9iLjwHJFmvAPXKbmu0Lh5eRRznX9gBWlzGd08Q/ch0MW2ehZTu1A2VrNWl+FKWSk8l0MlSoTPJFutFiejRvMr6VzbQItyJ/mtrNa9b1Hicgoj9HaBB6arx4wKORlbSOxFNOWdTCUhFdqthK5o7b9i/owyVgyY0s7BFEZChc0zGpRq7BLrynY79b+pHKzpil9isuisp1++piHZx9Y/bpC7OP5FlYF9+3TJL0EpEFQD8FqEoqcMFRxIDWGpCQiLGcmL14OH1JKSgOJEAgogsIF/KQhvWeKcUSJlai+0sskl8mOrCt2EJwuRvzmemuzebYN3JMOiBXKONYR0yU8AeAyNTgSBimWhACtikUyfpgZXlIeXyFMvj9fmd0I/zqjaW4upqrCudCOj/CWx7+e+8udfJxI7agWwrZMf1BEkOhRFOHOIuV+IEbaoMP6vVrGlhK71oN+gnoes5ivohpFDJWSZ3+1fMh56vfNynuM2wLJO7FTROPla+4ug33V/2ubGpoIyXn2lTSbuXaYDfsXMa1inakOMW9Q+PHGdIjZrwQU/u9Q2H0IlwFd4uQojZo15SRf4xh5FOuUrrfGRAnp1mWHALTBqd2VnkgqtBl8rXZXqA+CiEhEDhTAQmvf+wCKd3FklrhV+p65YcfRK9OJv5aFQM1/+WbJozF4/Wi5j4rtIDPrgMMEflOyoZIxGxDOaklyAvaasRU2TT8E2LIEvGKOzlrhIZqWyRESjgXdh6l0UBMaVAidIZ0JLf+8fqSZ0Zia5iAaJpm82MQr/PVXC4lqqxDlHhefwM3OKfZVkfAw0a2eePM5YkIxAgMpAstBt32UIixlj/5l4MwqzP8Reb4MsV6Fph2e14vsV1diLBaJI3hrU5UBVEDWV0GSbwdhZLtdubSaBHcv5v9aZ1cdFKL6d2rHksW9ooNnh/ljPxmVlfHbb8sPYDXmLmBNJdNV1gQouhKKrt0ov1J9+sqE53D9+9dfRwf/myYlnyNgqU4vNMrZI2flyugkYoUxIC8stVF46zfL5QkSg3GqdLQC4gpeJ0WdTSyOBaOgUvqGdSARb5bXm1VXF5IxVg1B4v+puNIHS9yuphXUJvw6xWWPjbQAllDrPjMqAbxmF465vFyQP0qEvMjRD+SaFIgW4KjMqfteKo4MgqKTRF4UP9r0HkwRErOznxWDfSxzXYztY6U72NdifN9IIFiBikKQqZvfvaN+1jukehSRpGQHQB5OxeeKThJZJGiUC5Fgvl7lPb6Djx8Rfba/FJvVsR2KFS64sArtUKmC6LcJxEY9WcsiJTHek817zvYej7FD1NxuttNp+ue9ArOoIhOEf08HIOu3d2yjeRlN5CJ/jIdKYlZW6m6Ap1M+OUHhJTF73K6lKKD9Diwa3s6FoqOwtZF4uYwHnCG218BMY8GgEVD73x5KjDOP02Y6EakZNp/9QIqQT4WkMWXMaqAPADtoh8X1FJLlnvs2Ko+hLlPxuPaIA4KvSuuocnWx/6HJbdqHUS/Se+JJo0Igt4Svax1R2kvoIPuQmPmHJ6l7CeZZiNbe+baFSx+V6g/6AgHUsUOSqGvUIEns1uIE9CQ8w0G3yLVonjERJLrdj+em3Pt7fxrxoOI4nwjplX0wJk0rkQREiS8ULQDHueptUcxJxMKpugAc4CL+BsHohkhm4kpOEmviKDwzxytQhDp2Fj2PRO9kqyNrNfzNGCN5709blEIVYTtonELI2vR5Ap+O2pH+AlqrnHWgeOYAKAyWT13xCNRsGNdv2sCDDiHqxq01IBzYhPvoWzECOmGbJRRSGOVzYCJJpVjl0NNKv9ucmftSQRjm6xgLIqv1xrehDYuJ/IMsYQ5QwXBGxy7nkeRg+onWzA0ZnEWgzLs3T/Pj7z/TPQWiN03MH24RvQXTWBqp9iBwXpsCZVgUIM/VLCQJn0/V5gfRy9Ne0rk2/tHMnzGHvll5Spoy6WkxSfQ8c8CjTilaoPWV6fOcNB2Z6ZuTqX0fbnxcEAu2fOK7e6ryGipEgaxrdiopDTlgPEFMdGUETbUh0ACrv/gNsS+m5MtNisWnhxFEiXrsWoWIgW/6TgRJGo+l52bh/xxC0bwHbYuHK62sxDVeXpBOnA4VE+WckWsC0CKYJvv4vfTbLI46fyd3lnlcSuHYM4SdbND7THNeK+KB5GyuUFLgAhhtZv8ceEo63IOlBUUy1NlWnr0cbidxvVnOugFLExCV5QGr+xbrssIibQxs8AfOBK8Cxh83IlzJVe7dX1mZVG1c6AM6SKSC6F0LBOeNEvcLlz4PBMIciubCE6ecdXCzJYFbj9ERDlnrZMKrnATRMsgCPaWdyYgQwkDuCj5uqf4aiKLzA61918hLY3MB7mSyJcCkXDYKr11Br0YSAdu8uG6IjpiUQS2PFz8E8XHBmO/uobhEuCPR2LnUv+xFN8zoPQlA5ueRz1yBF8L+CsvDGp/N3KF26ETWlvmnEdt7foE+o/J7aG6xO/CNB+/+yGbVPZRVAntZec9nbqlQ55qECnWtQNnShW7+3RSGamWeTtE2DyRSfd/62JkPNEY25jbBUIkMNtKolA5dbYa+u50S3lvakMmvQvzcSC3PONajKHgk4mBn3qf9X2uM5RDL83M7489r6JPcxTnNK27rQoxplkxLiN8HuB+AB5hp82WoyvLydR4hoBnJPIYKMcmEfIR+SgLoCyNIQLjzk5Iyk1ZwdwsjyNPXi1/HHZq8+NhoTCupjGfWgXghoz89MTYAjpMvOlES2rgFuCdphSc8Nd1uQtZx4CLMOU0gut0PI81ePBBI0iG74PWMEcp5HlHHY/hPTaRkBFLYkq9CWmJc1PfjiCWf3pwRmT7dUnmcptynexIMOZt2Nd76jc+g7k5MmEK+Qdz7/c1un4sVLquxdY6nUY/znLz+2zC/OTSsF39+rak3p8TXR0kBNsHl8UTioi4CGhCMsWsQy9me25TDHzbtIvBPVp9xXufsOe2wqPLjq3iNEGXTsagx3sLvl7BJ6WW/YMC7sUpjx1Ai3zkqViW0jQB+BzMZjfYM/8Yj31EEE+WssxY+NfitBgZzeMGGjNOAKp7XN0glwhuo1G2/APyU/Zopx3gMYj5OExgkZ7kvK++7+NlPmE+8AEuZ/uf30TtKwvRXOSvAMqqm26kb/WQPCj1xFQ0AEDl0Sbyfgk1E51Cd/ujL0t32FNkSoE8pe3IaTnwAnW7NHTZ/RByh2nsr0ThfFg4pFFuSD4dzU8r2J/4YJG3B06eyyTRLoyLBQwzwIgzGBAU8USdD8CXlA8SkfBbF39500ZRNcMIt6wdQa1CHAUHDLPw9JF9Q0FwCspgkjc9+lTRZMtumN5ChgypSkUB1dzLV2hqeQzDngVjcco/CoxM0Svm8gGrM9qobCTGzGF8/wZljv1yRiqu6HGFYWDAQ/p+wWx6ScstxEAB+5R5GrOedgd4zPXi2NMvyeN+ACFRBSPkhXIXpLZADvBi/WQMYbHia1wL8WUrSGQuB4P46cWGyseaxl//6GQ9IoGbK3XuLIPeE+BpPLB0H9LSLY+5f3qOEkKzCCW0z+68ZMlanlsThLKhqk8yrmJhV4788Tr7BC3eGbAie1urrrfUR613Jsp5peLSJuWQHdWCE/fdKgoSsRJ+DYkPoyS1YNz4BF4yz1Oem9Mti7gvgTQNX6g6PCu0rN8B6HIgY9TvWy5OCoZjJKasb+OgTMld7TJDnyK5/JcvDKHNVwcpK74lxcVX7IRorP/eh4IQ1+P/Gh06A62RHp2dEh/fNuKeCiRM2vGH0gdIN/Ca6MX8MqazgJq2EONyWiqRoGPqqZpAVTa8l5kgGvxQE/CQ4x0uAxwresRRTUZ+fJEanAhTWYgI5mRoEkG88UZjyCWmCnpNMQRYHoq7iY0So5qUdkHvpUA48cNMyztPEEHsUyWC36ZCyNsQN26FoJrG9TqXedBrhcki0sPOWugvKtGsdTT354wJTDe5OCo0AH3eFo/auuuAk/DF7yu614UCmKtXHYJ61GpIkjBu9WrPAIJhndMqfGMD/yU4UMEPHyojqHvU0BSgv1k76vI3K2lqERkaNYFfzRNj+e7k+NNos8w7XCzilWBL2ePB3pG5xfivcH4tYFm0FbnIkSz52VIy+PTiK7QQuBPDRTcn1k41+9vxQxRWpsqM/NP+4gqGozNyANXLQ64Y+QXSnWrD+xMjL/kVFwUBJ2HaAIJHjZ7ZqLRzXVOUbQ9pivJiBkXvLptSo72Iw4zsbRd1x8WNEaihx1MBAj+s+4MNdC5MBkQMlSB0PTJzs9xlz0gN+Oz0lohH6JO7ngPJUYbo2AIWEYZN+9kn/RyHblQTElrJeLf1jGNi4anBfzbsIXQuVm/nsrE5MH23X66+rJzUk8Fc5JAIDGBslkDPg3UNnElcE3cYbcB/ZzjFtgz8ducWKQmI+Yqv4p7BVXji/rHPim8vL6P5xZc95tbIonp5bQH+PPSmcfDk3rrf5mS58dJvWh/UpwcfdVvUAsWLJEV1lUBg1qecVbCsa6Oy7tJ2ZK7e3KdtZrmXiYpSAnSzRNJotr4g4H99brG6IwUx3qk5BE4x3C8MpSb+1NcKnM9nhqwAGRb9sfVXG38eNltm7hDnsolQcFQmHkDSM4arUVRqmsG8O16bThtlFWbYYN355aGQxrO2pICnt0ZOAI5CA3Rl8FprhFZgVy4pcpMVwy2zCNaYGJoGYsxDm/lEWJbTGcVm6YkyaZvdkXM1uAVegLZOCKnlW9H7b1uU3NvUw4Qx3DhI5xMD9jZhlXIsYfa9s5NQjTeIX8fFbx1fdENpHjVRxs82DO26uLEaJpoL/Ywn1xfs1uV0VQb2NGPvUJKysjMRoX0Zfa0hsSBhw/ZSlyX1xfQY8ShusVswf3zEnwI1LTgtr0CvBNwnuaSDv/IoypEfCOuMrJEGJuTPDbGGyS4VeRf0He5Dk9RskehgrJcwhlw+hXajR6SluODcsEGfL+eOUjAOO9agWaqM2CfV52/vJNhA5KMEJwHuQAU1SHr4+xaW4EKWPlxB6Sjjz/IuL+toLBetBA3ZhEfokac6rQplUIiOICd3Ghwi1rpUZPL5YuP0murhpBGTdzMzGSMhSZ74LeAcoRKEG4rKKIS3fRS65QMlaLC6uOT8givHdXsk+4zLBF0BnYAe4bq8RDcpt9TJRczL6+NaxYxa36R+DRin4U1SwaUdIvEKaEDBdVLnzKkpAim5cww1MYkGZmFcVg8u8fSnoz5TeorZy00dQCMCC+SyMb58TTA08UrCOSq07+ILregexlx+Cxpbgpabo858lkJLDpPJmq8YQmog2gaMstJbpyV3M4wf1GL4ylPurPWUuyX58H8oRyX/FH79cpsbyeNoghwfvRVw8/tOUyF1DbA8Lw0HauIHTQwMTOvREPCPmlMvldIUJxHqIpqcsXESIWT/+YaHBiKGueGqPOdkFPtXSyf4t1Ka56M/9ftvdR/oFtr/iApE0Hyosz84INF/Rq9HYd8jrVb3IcQw637U2s4sE+I95+c+VaYxcDq29Jd2jD3uZfn6vbxb7Zz//Z8G4PGBNDns+D/jDoAMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECDpR8wgSXD4AAgIIAASCBMijRdwb0L38qXtBGebx6l35L3eR8/NPfJTyDKqYQOiIhNfYp/f+Ml9g3NlCB+ba03BZBCFSo1a9csjMZ1fDgS5AoNE683hbPdNj6D5JYQtvOpX/D5rawmI0iuDTIc6GOpN5PS0ds9OLnlS6pagq3U7QycuiPR0jVq72qzQUDxnqXU0XO+IwQXFP5UhKrPJe/cbUotznQPGH5g88ydM9YelIvIVImXLlXeVLY8CtzRQPSduX1zckVUMktrpSvqJUhVuN4ikhh+4ga1LvtaziOibk6HNekSlN13sqSQ7GeWGToB1AOmN8i1LZmWRnrPG61dT3uPg0R/5rPq6hrNQvAnx7Mpq7Uz1OuzDzGoaBtX+/CVIpeYLAYm7hdKouT84hk7qsT9ls1Dwb5P1C8HjBWas0KufoyxoHL61A+xGIcHkbOeVNy20AFUf7Xhb+kPlSdOhP3Ik1F2iUXa0pFxqTNcsmTDRzAReciYxVJ0lOTbqX7O6/a+U/sT109GqVGZJcpyk1FCUSk3HWbjSKOhxjpvxqfSKexr9ZOTmih7rBNYSY6sRUYgtpQyWNo8iWilwSP3FCBCbRIJrzJ5O6wn0JDTHONqxS9zENz/MvX8oHEZk+mkpxZA4YCodP10zQjzKHsXI1lRWrUARzpDfqGck1BBXXLrLNDL3w+00ipkTdEgtdhNFtHZ7A0Fda62ys5JTKt/oWSi0FPhjXdGnxf+8rBkB/jlKx99Ue6R4S+ve7Eqyl98TelFvX5C6wa63+/kw4/8L5aSlhrAUyYrykmnZ9nb61YY4HTmwpSJP0tHmr3LHxPVx15vp3KIyrYQVvbap+FvfcLjMoU6ckLQDZpQSJdFo86MdNedrKbwmVN7pV/M2b3DjPp5ixLCSXJgK3RaATIxQL88IDv4+ySL0Z2t6jUopZ40liyDnHGDl9zajeQ1WaW4yHS65aVlzYHSFvCGr8F/4Lydk5ax5HHqna6LbFeuQ4kUcUaGfiIagtFW+ueyfOckqLnwYisjG5fQmheONPHb7jg/qHQoKasD4TvmwrvUcG20c5J57oZ80C94zySYpdHTaETXHEOwz7NBPP1hplC1IaAfbhwZ48Z0kWWqddfELUC5miapzthvzpycOzL6zWmTLjyTXPZrbkqYfVrD26bsD/YOo54BThGcBdEfu2chT2eNF0rRZwF5U9TACfzMFYxUIVRq4rWAaerppkK5JNBT/la2QxUElh9HPn+0GGL1BYYEPCihciwWy2BwJs1IgjhU4ARTlukuxK+WLPTflwvlOX5G1P5D57up8kxtDncR5IIuZJgWWSFLGOkGeHXmjynLMqS1OCzIId3dj0c3EYBnku82eItAQd5fk7/rs0Lg0S1XeVSrgPphTgviGXzTWSh28S3VZJ2G7k4dr1P/sJQounjbcDrFyYaFxYXEqyO9L6vFShO5z7/vD5h9uLPddE4vC6PKJxZoWopWncLcLljuYKG0k+y4MV9U0/cESYJWzBbcZZpULdesinhxMg1wNPu5FeeFCsZpdhN2FadIuu/Kcsk6xNeDDIwwYXb3hVY0ARRAo//LyLv3zDB0LWz1LH3qJQeZ53DbgZ4VXQ6uK0yTgSsH4Lwaj5oFBPp4NJ3hdGa7trpJbeUMIxJTAjBgkqhkiG9w0BCRUxFgQUh6FIxf4sbyJnvvC+6J1NHGaa9w0wMTAhMAkGBSsOAwIaBQAEFFkCkI701QHxh2zcZkzDy8bn7qKwBAjafnZaU5r0FgICCAA='; -+$cert = file_get_contents(__DIR__ . "/public.crt"); -+$priv = file_get_contents(__DIR__ . "/private.crt"); -+$extracert = file_get_contents(__DIR__ . "/cert.crt"); -+$pass = "qwerty"; -+openssl_pkcs12_export($cert, $p12, $priv, $pass, array('extracerts' => [$extracert, $extracert])); - --$p12 = base64_decode($p12_base64); -- --test($p12, 'qwerty'); -+test($p12, $pass); - ?> - --EXPECT-- - int(2) -diff --git a/ext/openssl/tests/openssl_pkcs12_read_basic.phpt b/ext/openssl/tests/openssl_pkcs12_read_basic.phpt -index b81b4d9dac..8cb2b41fd7 100644 ---- a/ext/openssl/tests/openssl_pkcs12_read_basic.phpt -+++ b/ext/openssl/tests/openssl_pkcs12_read_basic.phpt -@@ -4,10 +4,12 @@ openssl_pkcs12_read() tests - - --FILE-- - $extracert)); - - var_dump(openssl_pkcs12_read("", $certs, "")); - var_dump(openssl_pkcs12_read($p12, $certs, "")); -@@ -73,24 +75,26 @@ MK80GEnRQIkB7uZVk+r0HusK - ["extracerts"]=> - array(1) { - [0]=> -- string(1111) "-----BEGIN CERTIFICATE----- --MIIDBjCCAe4CCQDaL5/+UVeXuTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB --VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 --cyBQdHkgTHRkMB4XDTE1MDYxMDEyNDAwNVoXDTE2MDYwOTEyNDAwNVowRTELMAkG --A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 --IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB --AL/IF7bW0vpEg5A054SDqTi5pkSeie6nyIT77qCAVI5PMlhNjxuqDIlLpCWonvKb --LMRtp7t24BsQBRgQgps8mtfRr0gV1qq9HMfDj2bZdGcTShZN/M/BFATwxaNRTHl9 --ey8zxGcLd4aFFBlVhXHYdBXg/PG/oxJMAFuMwa+KxSP6Mqp1FlOZtvUUieQcToMf --Mh8Lbr4g/yHFj5lgWIJ2fmJjHJZ4wf9QBeGUrVqqxzSDEL9f0PGy+grqSHoIzLr3 --+uhvhoI85nCyZs9+lrELuQKqbiZ8Q6Vmj6JGt3miNBFVTbBpP9GK8sVuVQwgqd8p --C3e8hHqv7vwF+s0zjiZ+rCcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdpTtiyDJ --0wLB18iunXCMUJpjc/HVYEp5P9vl2E/bcZfGns/8KxNHoe9mgJycr3mwjCjMjVx2 --L/9q/8XoT02aBncwAx4oZ2H0qfjZppaUSnSc1Uv+dsldDC2mZvJgwXN7jtQmU5P3 --cspFHuJoYK8AqYJqlO6E4L9uRF7dLEliUnrBpF4BxziwskTquRX+zgD+fmk0L5O8 --qqvm8btWCxfng+qD7UHFWbUQ2IegZ3VrBWJ2XsxOvokMM4HoHVb0BZgq8Dvu0XJ9 --EriEQkcydtrRKtlcWHLKcJuNUnkw2qfj+F8mmdaZib8Apa1UCkt0ZlpyYO3V2ejY --WIjafwJYrv6f5g== -+ string(1249) "-----BEGIN CERTIFICATE----- -+MIIDbDCCAtWgAwIBAgIJAK7FVsxyN1CiMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD -+VQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5kZSBkbyBTdWwxFTATBgNVBAcTDFBv -+cnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlxdWUgZG8gTi4gQW5nZWxvMR8wHQYJ -+KoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0MB4XDTA4MDYzMDEwMjg0M1oXDTA4 -+MDczMDEwMjg0M1owgYExCzAJBgNVBAYTAkJSMRowGAYDVQQIExFSaW8gR3JhbmRl -+IGRvIFN1bDEVMBMGA1UEBxMMUG9ydG8gQWxlZ3JlMR4wHAYDVQQDExVIZW5yaXF1 -+ZSBkbyBOLiBBbmdlbG8xHzAdBgkqhkiG9w0BCQEWEGhuYW5nZWxvQHBocC5uZXQw -+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMteno+QK1ulX4/WDAVBYfoTPRTz -+e4SZLwgael4jwWTytj+8c5nNllrFELD6WjJzfjaoIMhCF4w4I2bkWR6/PTqrvnv+ -+iiiItHfKvJgYqIobUhkiKmWa2wL3mgqvNRIqTrTC4jWZuCkxQ/ksqL9O/F6zk+aR -+S1d+KbPaqCR5Rw+lAgMBAAGjgekwgeYwHQYDVR0OBBYEFNt+QHK9XDWF7CkpgRLo -+Ymhqtz99MIG2BgNVHSMEga4wgauAFNt+QHK9XDWF7CkpgRLoYmhqtz99oYGHpIGE -+MIGBMQswCQYDVQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5kZSBkbyBTdWwxFTAT -+BgNVBAcTDFBvcnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlxdWUgZG8gTi4gQW5n -+ZWxvMR8wHQYJKoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0ggkArsVWzHI3UKIw -+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCP1GUnStC0TBqngr3Kx+zS -+UW8KutKO0ORc5R8aV/x9LlaJrzPyQJgiPpu5hXogLSKRIHxQS3X2+Y0VvIpW72LW -+PVKPhYlNtO3oKnfoJGKin0eEhXRZMjfEW/kznY+ZZmNifV2r8s+KhNAqI4PbClvn -+4vh8xF/9+eVEj+hM+0OflA== - -----END CERTIFICATE----- - " - } - --- -2.31.1 - -From 8e99695bb1f630edee4ddb44ae78e99190b5efb3 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Fri, 6 Aug 2021 11:15:18 +0200 -Subject: [PATCH 23/39] Do not special case export of EC keys - -All other private keys are exported in PKCS#8 format, while EC -keys use traditional format. Switch them to use PKCS#8 format as -well. - -As the OpenSSL docs say: - -> PEM_write_bio_PrivateKey_traditional() writes out a private key -> in the "traditional" format with a simple private key marker and -> should only be used for compatibility with legacy programs. - -(cherry picked from commit f2d3e75933fa155a5281c824263780dbc660ecb1) ---- - ext/openssl/openssl.c | 36 ++++--------------- - .../tests/openssl_pkey_export_basic.phpt | 6 +++- - 2 files changed, 11 insertions(+), 31 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 91d2589aad..b360b0506e 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -4225,21 +4225,9 @@ PHP_FUNCTION(openssl_pkey_export_to_file) - cipher = NULL; - } - -- switch (EVP_PKEY_base_id(key)) { --#ifdef HAVE_EVP_PKEY_EC -- case EVP_PKEY_EC: -- pem_write = PEM_write_bio_ECPrivateKey( -- bio_out, EVP_PKEY_get0_EC_KEY(key), cipher, -- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); -- break; --#endif -- default: -- pem_write = PEM_write_bio_PrivateKey( -- bio_out, key, cipher, -- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); -- break; -- } -- -+ pem_write = PEM_write_bio_PrivateKey( -+ bio_out, key, cipher, -+ (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); - if (pem_write) { - /* Success! - * If returning the output as a string, do so now */ -@@ -4297,21 +4285,9 @@ PHP_FUNCTION(openssl_pkey_export) - cipher = NULL; - } - -- switch (EVP_PKEY_base_id(key)) { --#ifdef HAVE_EVP_PKEY_EC -- case EVP_PKEY_EC: -- pem_write = PEM_write_bio_ECPrivateKey( -- bio_out, EVP_PKEY_get0_EC_KEY(key), cipher, -- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); -- break; --#endif -- default: -- pem_write = PEM_write_bio_PrivateKey( -- bio_out, key, cipher, -- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); -- break; -- } -- -+ pem_write = PEM_write_bio_PrivateKey( -+ bio_out, key, cipher, -+ (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); - if (pem_write) { - /* Success! - * If returning the output as a string, do so now */ -diff --git a/ext/openssl/tests/openssl_pkey_export_basic.phpt b/ext/openssl/tests/openssl_pkey_export_basic.phpt -index 678b7e7299..5cd68d18b8 100644 ---- a/ext/openssl/tests/openssl_pkey_export_basic.phpt -+++ b/ext/openssl/tests/openssl_pkey_export_basic.phpt -@@ -47,7 +47,11 @@ var_dump($key instanceof OpenSSLAsymmetricKey); - object(OpenSSLAsymmetricKey)#%d (0) { - } - bool(true) -------BEGIN EC PRIVATE KEY-----%a-----END EC PRIVATE KEY----- -+-----BEGIN PRIVATE KEY----- -+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgs+Sqh7IzteDBiS5K -+PfTvuWuyt9YkrkuoyiW/6bag6NmhRANCAAQ+riFshYe8HnWt1avx6OuNajipU1ZW -+6BgW0+D/EtDDSYeQg9ngO8qyo5M6cyh7ORtKZVUy7DP1+W+eocaZC+a6 -+-----END PRIVATE KEY----- - bool(true) - bool(true) - object(OpenSSLAsymmetricKey)#%d (0) { --- -2.31.1 - -From 87bec9d2942be4a87cccb0d28cb3e134d692c312 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Fri, 6 Aug 2021 16:51:05 +0200 -Subject: [PATCH 24/39] Switch manual DH key generation to param API - -Instead of using the deprecated low-level interface. - -This should also avoid issues with fetching parameters from -legacy keys, cf. https://github.com/openssl/openssl/issues/16247. - -(cherry picked from commit a7740a0bf00704372353ea4360c3e6b58102a6f7) ---- - ext/openssl/openssl.c | 136 ++++++++++++++++++++++++++++++++++-------- - 1 file changed, 112 insertions(+), 24 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index b360b0506e..06e5adecda 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -56,6 +56,10 @@ - #include - #include - #include -+#if PHP_OPENSSL_API_VERSION >= 0x30000 -+#include -+#include -+#endif - - /* Common */ - #include -@@ -3919,8 +3923,8 @@ static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM - } - /* }}} */ - --/* {{{ php_openssl_pkey_init_dh */ --static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data, bool *is_private) -+#if PHP_OPENSSL_API_VERSION < 0x30000 -+static zend_bool php_openssl_pkey_init_legacy_dh(DH *dh, zval *data, bool *is_private) - { - BIGNUM *p, *q, *g, *priv_key, *pub_key; - -@@ -3952,9 +3956,108 @@ static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data, bool *is_private) - return 0; - } - /* all good */ -+ *is_private = true; - return 1; - } --/* }}} */ -+#endif -+ -+static EVP_PKEY *php_openssl_pkey_init_dh(zval *data, bool *is_private) -+{ -+#if PHP_OPENSSL_API_VERSION >= 0x30000 -+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv_key = NULL, *pub_key = NULL; -+ EVP_PKEY *param_key = NULL, *pkey = NULL; -+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); -+ OSSL_PARAM *params = NULL; -+ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); -+ -+ OPENSSL_PKEY_SET_BN(data, p); -+ OPENSSL_PKEY_SET_BN(data, q); -+ OPENSSL_PKEY_SET_BN(data, g); -+ OPENSSL_PKEY_SET_BN(data, priv_key); -+ OPENSSL_PKEY_SET_BN(data, pub_key); -+ -+ if (!ctx || !bld || !p || !g) { -+ goto cleanup; -+ } -+ -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p); -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g); -+ if (q) { -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q); -+ } -+ if (priv_key) { -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key); -+ if (!pub_key) { -+ pub_key = php_openssl_dh_pub_from_priv(priv_key, g, p); -+ if (!pub_key) { -+ goto cleanup; -+ } -+ } -+ } -+ if (pub_key) { -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key); -+ } -+ -+ params = OSSL_PARAM_BLD_to_param(bld); -+ if (!params) { -+ goto cleanup; -+ } -+ -+ if (EVP_PKEY_fromdata_init(ctx) <= 0 || -+ EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) { -+ goto cleanup; -+ } -+ -+ if (pub_key || priv_key) { -+ *is_private = priv_key != NULL; -+ EVP_PKEY_up_ref(param_key); -+ pkey = param_key; -+ } else { -+ *is_private = true; -+ PHP_OPENSSL_RAND_ADD_TIME(); -+ EVP_PKEY_CTX_free(ctx); -+ ctx = EVP_PKEY_CTX_new(param_key, NULL); -+ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) { -+ goto cleanup; -+ } -+ } -+ -+cleanup: -+ php_openssl_store_errors(); -+ EVP_PKEY_free(param_key); -+ EVP_PKEY_CTX_free(ctx); -+ OSSL_PARAM_free(params); -+ OSSL_PARAM_BLD_free(bld); -+ BN_free(p); -+ BN_free(q); -+ BN_free(g); -+ BN_free(priv_key); -+ BN_free(pub_key); -+ return pkey; -+#else -+ EVP_PKEY *pkey = EVP_PKEY_new(); -+ if (!pkey) { -+ php_openssl_store_errors(); -+ return NULL; -+ } -+ -+ DH *dh = DH_new(); -+ if (!dh) { -+ EVP_PKEY_free(pkey); -+ return NULL; -+ } -+ -+ if (!php_openssl_pkey_init_legacy_dh(dh, data, is_private) -+ || !EVP_PKEY_assign_DH(pkey, dh)) { -+ php_openssl_store_errors(); -+ EVP_PKEY_free(pkey); -+ DH_free(dh); -+ return NULL; -+ } -+ -+ return pkey; -+#endif -+} - - /* {{{ Generates a new private key */ - PHP_FUNCTION(openssl_pkey_new) -@@ -4016,28 +4119,13 @@ PHP_FUNCTION(openssl_pkey_new) - RETURN_FALSE; - } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dh", sizeof("dh") - 1)) != NULL && - Z_TYPE_P(data) == IS_ARRAY) { -- pkey = EVP_PKEY_new(); -- if (pkey) { -- DH *dh = DH_new(); -- if (dh) { -- bool is_private; -- if (php_openssl_pkey_init_dh(dh, data, &is_private)) { -- if (EVP_PKEY_assign_DH(pkey, dh)) { -- php_openssl_pkey_object_init(return_value, pkey, is_private); -- return; -- } else { -- php_openssl_store_errors(); -- } -- } -- DH_free(dh); -- } else { -- php_openssl_store_errors(); -- } -- EVP_PKEY_free(pkey); -- } else { -- php_openssl_store_errors(); -+ bool is_private; -+ pkey = php_openssl_pkey_init_dh(data, &is_private); -+ if (!pkey) { -+ RETURN_FALSE; - } -- RETURN_FALSE; -+ php_openssl_pkey_object_init(return_value, pkey, is_private); -+ return; - #ifdef HAVE_EVP_PKEY_EC - } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "ec", sizeof("ec") - 1)) != NULL && - Z_TYPE_P(data) == IS_ARRAY) { --- -2.31.1 - -From 0b1f12e24360dad5c6feba319af7e12e2cf72fc1 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Fri, 6 Aug 2021 17:14:58 +0200 -Subject: [PATCH 25/39] Switch manual DSA key generation to param API - -This is very similar to the DH case, with the primary difference -that priv_key is ignored if pub_key is not given, rather than -generating pub_key from priv_key. Would be nice if these worked -the same (in which case we should probably also unify the keygen -for FFC algorithms, as it's very similar). - -(cherry picked from commit 2bf316fdfc0cfc4b6a5e27c9a13274d01b4b298f) ---- - ext/openssl/openssl.c | 126 ++++++++++++++++++++++++++++++++++-------- - 1 file changed, 102 insertions(+), 24 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 06e5adecda..84a4083807 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -3844,8 +3844,8 @@ static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, - return 1; - } - --/* {{{ php_openssl_pkey_init_dsa */ --static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data, bool *is_private) -+#if PHP_OPENSSL_API_VERSION < 0x30000 -+static zend_bool php_openssl_pkey_init_legacy_dsa(DSA *dsa, zval *data, bool *is_private) - { - BIGNUM *p, *q, *g, *priv_key, *pub_key; - const BIGNUM *priv_key_const, *pub_key_const; -@@ -3878,9 +3878,102 @@ static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data, bool *is_privat - return 0; - } - /* all good */ -+ *is_private = true; - return 1; - } --/* }}} */ -+#endif -+ -+static EVP_PKEY *php_openssl_pkey_init_dsa(zval *data, bool *is_private) -+{ -+#if PHP_OPENSSL_API_VERSION >= 0x30000 -+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv_key = NULL, *pub_key = NULL; -+ EVP_PKEY *param_key = NULL, *pkey = NULL; -+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, NULL); -+ OSSL_PARAM *params = NULL; -+ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); -+ -+ OPENSSL_PKEY_SET_BN(data, p); -+ OPENSSL_PKEY_SET_BN(data, q); -+ OPENSSL_PKEY_SET_BN(data, g); -+ OPENSSL_PKEY_SET_BN(data, priv_key); -+ OPENSSL_PKEY_SET_BN(data, pub_key); -+ -+ if (!ctx || !bld || !p || !q || !g) { -+ goto cleanup; -+ } -+ -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p); -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q); -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g); -+ // TODO: We silently ignore priv_key if pub_key is not given, unlike in the DH case. -+ if (pub_key) { -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key); -+ if (priv_key) { -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key); -+ } -+ } -+ -+ params = OSSL_PARAM_BLD_to_param(bld); -+ if (!params) { -+ goto cleanup; -+ } -+ -+ if (EVP_PKEY_fromdata_init(ctx) <= 0 || -+ EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) { -+ goto cleanup; -+ } -+ -+ if (pub_key) { -+ *is_private = priv_key != NULL; -+ EVP_PKEY_up_ref(param_key); -+ pkey = param_key; -+ } else { -+ *is_private = true; -+ PHP_OPENSSL_RAND_ADD_TIME(); -+ EVP_PKEY_CTX_free(ctx); -+ ctx = EVP_PKEY_CTX_new(param_key, NULL); -+ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) { -+ goto cleanup; -+ } -+ } -+ -+cleanup: -+ php_openssl_store_errors(); -+ EVP_PKEY_free(param_key); -+ EVP_PKEY_CTX_free(ctx); -+ OSSL_PARAM_free(params); -+ OSSL_PARAM_BLD_free(bld); -+ BN_free(p); -+ BN_free(q); -+ BN_free(g); -+ BN_free(priv_key); -+ BN_free(pub_key); -+ return pkey; -+#else -+ EVP_PKEY *pkey = EVP_PKEY_new(); -+ if (!pkey) { -+ php_openssl_store_errors(); -+ return NULL; -+ } -+ -+ DSA *dsa = DSA_new(); -+ if (!dsa) { -+ php_openssl_store_errors(); -+ EVP_PKEY_free(pkey); -+ return NULL; -+ } -+ -+ if (!php_openssl_pkey_init_legacy_dsa(dsa, data, is_private) -+ || !EVP_PKEY_assign_DSA(pkey, dsa)) { -+ php_openssl_store_errors(); -+ EVP_PKEY_free(pkey); -+ DSA_free(dsa); -+ return NULL; -+ } -+ -+ return pkey; -+#endif -+} - - /* {{{ php_openssl_dh_pub_from_priv */ - static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM *p) -@@ -4095,28 +4188,13 @@ PHP_FUNCTION(openssl_pkey_new) - RETURN_FALSE; - } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dsa", sizeof("dsa") - 1)) != NULL && - Z_TYPE_P(data) == IS_ARRAY) { -- pkey = EVP_PKEY_new(); -- if (pkey) { -- DSA *dsa = DSA_new(); -- if (dsa) { -- bool is_private; -- if (php_openssl_pkey_init_dsa(dsa, data, &is_private)) { -- if (EVP_PKEY_assign_DSA(pkey, dsa)) { -- php_openssl_pkey_object_init(return_value, pkey, is_private); -- return; -- } else { -- php_openssl_store_errors(); -- } -- } -- DSA_free(dsa); -- } else { -- php_openssl_store_errors(); -- } -- EVP_PKEY_free(pkey); -- } else { -- php_openssl_store_errors(); -+ bool is_private; -+ pkey = php_openssl_pkey_init_dsa(data, &is_private); -+ if (!pkey) { -+ RETURN_FALSE; - } -- RETURN_FALSE; -+ php_openssl_pkey_object_init(return_value, pkey, is_private); -+ return; - } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dh", sizeof("dh") - 1)) != NULL && - Z_TYPE_P(data) == IS_ARRAY) { - bool is_private; --- -2.31.1 - -From d20cf6a278be5561debcd5ce0cc34a6046eac669 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Sun, 8 Aug 2021 17:39:06 +0200 -Subject: [PATCH 26/39] Use OpenSSL NCONF APIs (#7337) - -(cherry picked from commit 94bc5fce261a4a56a545bdfb25d5c2452a07de08) ---- - ext/openssl/openssl.c | 66 +++++++++++++++++++++++-------------------- - 1 file changed, 36 insertions(+), 30 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 84a4083807..1dda83f71e 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -500,8 +500,8 @@ int php_openssl_get_ssl_stream_data_index() - static char default_ssl_conf_filename[MAXPATHLEN]; - - struct php_x509_request { /* {{{ */ -- LHASH_OF(CONF_VALUE) * global_config; /* Global SSL config */ -- LHASH_OF(CONF_VALUE) * req_config; /* SSL config for this request */ -+ CONF *global_config; /* Global SSL config */ -+ CONF *req_config; /* SSL config for this request */ - const EVP_MD * md_alg; - const EVP_MD * digest; - char * section_name, -@@ -712,13 +712,13 @@ static time_t php_openssl_asn1_time_to_time_t(ASN1_UTCTIME * timestr) /* {{{ */ - } - /* }}} */ - --static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, LHASH_OF(CONF_VALUE) * config) /* {{{ */ -+static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, CONF *config) /* {{{ */ - { - X509V3_CTX ctx; - - X509V3_set_ctx_test(&ctx); -- X509V3_set_conf_lhash(&ctx, config); -- if (!X509V3_EXT_add_conf(config, &ctx, (char *)section, NULL)) { -+ X509V3_set_nconf(&ctx, config); -+ if (!X509V3_EXT_add_nconf(config, &ctx, (char *)section, NULL)) { - php_openssl_store_errors(); - php_error_docref(NULL, E_WARNING, "Error loading %s section %s of %s", - section_label, -@@ -730,17 +730,24 @@ static inline int php_openssl_config_check_syntax(const char * section_label, co - } - /* }}} */ - --static char *php_openssl_conf_get_string( -- LHASH_OF(CONF_VALUE) *conf, const char *group, const char *name) { -- char *str = CONF_get_string(conf, group, name); -- if (str == NULL) { -- /* OpenSSL reports an error if a configuration value is not found. -- * However, we don't want to generate errors for optional configuration. */ -- ERR_clear_error(); -- } -+static char *php_openssl_conf_get_string(CONF *conf, const char *group, const char *name) { -+ /* OpenSSL reports an error if a configuration value is not found. -+ * However, we don't want to generate errors for optional configuration. */ -+ ERR_set_mark(); -+ char *str = NCONF_get_string(conf, group, name); -+ ERR_pop_to_mark(); - return str; - } - -+static long php_openssl_conf_get_number(CONF *conf, const char *group, const char *name) { -+ /* Same here, ignore errors. */ -+ long res = 0; -+ ERR_set_mark(); -+ NCONF_get_number(conf, group, name, &res); -+ ERR_pop_to_mark(); -+ return res; -+} -+ - static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */ - { - char * str; -@@ -752,7 +759,7 @@ static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */ - if (str == NULL) { - return SUCCESS; - } -- sktmp = CONF_get_section(req->req_config, str); -+ sktmp = NCONF_get_section(req->req_config, str); - if (sktmp == NULL) { - php_openssl_store_errors(); - php_error_docref(NULL, E_WARNING, "Problem loading oid section %s", str); -@@ -823,13 +830,13 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option - - SET_OPTIONAL_STRING_ARG("config", req->config_filename, default_ssl_conf_filename); - SET_OPTIONAL_STRING_ARG("config_section_name", req->section_name, "req"); -- req->global_config = CONF_load(NULL, default_ssl_conf_filename, NULL); -- if (req->global_config == NULL) { -+ req->global_config = NCONF_new(NULL); -+ if (!NCONF_load(req->global_config, default_ssl_conf_filename, NULL)) { - php_openssl_store_errors(); - } -- req->req_config = CONF_load(NULL, req->config_filename, NULL); -- if (req->req_config == NULL) { -- php_openssl_store_errors(); -+ -+ req->req_config = NCONF_new(NULL); -+ if (!NCONF_load(req->req_config, req->config_filename, NULL)) { - return FAILURE; - } - -@@ -853,8 +860,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option - SET_OPTIONAL_STRING_ARG("req_extensions", req->request_extensions_section, - php_openssl_conf_get_string(req->req_config, req->section_name, "req_extensions")); - SET_OPTIONAL_LONG_ARG("private_key_bits", req->priv_key_bits, -- CONF_get_number(req->req_config, req->section_name, "default_bits")); -- -+ php_openssl_conf_get_number(req->req_config, req->section_name, "default_bits")); - SET_OPTIONAL_LONG_ARG("private_key_type", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT); - - if (optional_args && (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key")-1)) != NULL) { -@@ -934,11 +940,11 @@ static void php_openssl_dispose_config(struct php_x509_request * req) /* {{{ */ - req->priv_key = NULL; - } - if (req->global_config) { -- CONF_free(req->global_config); -+ NCONF_free(req->global_config); - req->global_config = NULL; - } - if (req->req_config) { -- CONF_free(req->req_config); -+ NCONF_free(req->req_config); - req->req_config = NULL; - } - } -@@ -2844,12 +2850,12 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z - STACK_OF(CONF_VALUE) * dn_sk, *attr_sk = NULL; - char * str, *dn_sect, *attr_sect; - -- dn_sect = CONF_get_string(req->req_config, req->section_name, "distinguished_name"); -+ dn_sect = NCONF_get_string(req->req_config, req->section_name, "distinguished_name"); - if (dn_sect == NULL) { - php_openssl_store_errors(); - return FAILURE; - } -- dn_sk = CONF_get_section(req->req_config, dn_sect); -+ dn_sk = NCONF_get_section(req->req_config, dn_sect); - if (dn_sk == NULL) { - php_openssl_store_errors(); - return FAILURE; -@@ -2858,7 +2864,7 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z - if (attr_sect == NULL) { - attr_sk = NULL; - } else { -- attr_sk = CONF_get_section(req->req_config, attr_sect); -+ attr_sk = NCONF_get_section(req->req_config, attr_sect); - if (attr_sk == NULL) { - php_openssl_store_errors(); - return FAILURE; -@@ -3275,8 +3281,8 @@ PHP_FUNCTION(openssl_csr_sign) - X509V3_CTX ctx; - - X509V3_set_ctx(&ctx, cert, new_cert, csr, NULL, 0); -- X509V3_set_conf_lhash(&ctx, req.req_config); -- if (!X509V3_EXT_add_conf(req.req_config, &ctx, req.extensions_section, new_cert)) { -+ X509V3_set_nconf(&ctx, req.req_config); -+ if (!X509V3_EXT_add_nconf(req.req_config, &ctx, req.extensions_section, new_cert)) { - php_openssl_store_errors(); - goto cleanup; - } -@@ -3349,10 +3355,10 @@ PHP_FUNCTION(openssl_csr_new) - X509V3_CTX ext_ctx; - - X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, 0); -- X509V3_set_conf_lhash(&ext_ctx, req.req_config); -+ X509V3_set_nconf(&ext_ctx, req.req_config); - - /* Add extensions */ -- if (req.request_extensions_section && !X509V3_EXT_REQ_add_conf(req.req_config, -+ if (req.request_extensions_section && !X509V3_EXT_REQ_add_nconf(req.req_config, - &ext_ctx, req.request_extensions_section, csr)) - { - php_openssl_store_errors(); --- -2.31.1 - -From 575c8ddf73c4a343139be225596c5101497e3186 Mon Sep 17 00:00:00 2001 -From: Jakub Zelenka -Date: Sun, 8 Aug 2021 20:54:46 +0100 -Subject: [PATCH 27/39] Make CertificateGenerator not dependent on external - config in OpenSSL 3.0 - -(cherry picked from commit c90c9c7545427d9d35cbac45c4ec896f54619744) ---- - ext/openssl/tests/CertificateGenerator.inc | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/ext/openssl/tests/CertificateGenerator.inc b/ext/openssl/tests/CertificateGenerator.inc -index 1dc378e706..4783353a47 100644 ---- a/ext/openssl/tests/CertificateGenerator.inc -+++ b/ext/openssl/tests/CertificateGenerator.inc -@@ -65,7 +65,10 @@ class CertificateGenerator - ), - null, - $this->caKey, -- 2 -+ 2, -+ [ -+ 'config' => self::CONFIG, -+ ] - ); - } - -@@ -101,6 +104,7 @@ class CertificateGenerator - [ req ] - distinguished_name = req_distinguished_name - default_md = sha256 -+default_bits = 1024 - - [ req_distinguished_name ] - -@@ -124,8 +128,9 @@ CONFIG; - ]; - - $this->lastKey = self::generateKey($keyLength); -+ $csr = openssl_csr_new($dn, $this->lastKey, $config); - $this->lastCert = openssl_csr_sign( -- openssl_csr_new($dn, $this->lastKey, $config), -+ $csr, - $this->ca, - $this->caKey, - /* days */ 2, -@@ -139,7 +144,7 @@ CONFIG; - openssl_x509_export($this->lastCert, $certText); - - $keyText = ''; -- openssl_pkey_export($this->lastKey, $keyText); -+ openssl_pkey_export($this->lastKey, $keyText, null, $config); - - file_put_contents($file, $certText . PHP_EOL . $keyText); - } finally { --- -2.31.1 - -From 4da1bade85b14bd1f0aa9cf9f463931de54de2ef Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Mon, 9 Aug 2021 10:26:12 +0200 -Subject: [PATCH 28/39] Extract EC key initialization - -(cherry picked from commit 14d7c7e9aee5ab55a92ddc626b7b81c130ea7618) ---- - ext/openssl/openssl.c | 239 ++++++++++++++++++++++-------------------- - 1 file changed, 126 insertions(+), 113 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 1dda83f71e..a595101cf6 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -4158,6 +4158,126 @@ cleanup: - #endif - } - -+#ifdef HAVE_EVP_PKEY_EC -+static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_private) { -+ EC_GROUP *group = NULL; -+ EC_POINT *pnt = NULL; -+ BIGNUM *d = NULL; -+ zval *bn; -+ zval *x; -+ zval *y; -+ -+ if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1)) != NULL && -+ Z_TYPE_P(bn) == IS_STRING) { -+ int nid = OBJ_sn2nid(Z_STRVAL_P(bn)); -+ if (nid != NID_undef) { -+ group = EC_GROUP_new_by_curve_name(nid); -+ if (!group) { -+ php_openssl_store_errors(); -+ goto clean_exit; -+ } -+ EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); -+ EC_GROUP_set_point_conversion_form(group, POINT_CONVERSION_UNCOMPRESSED); -+ if (!EC_KEY_set_group(eckey, group)) { -+ php_openssl_store_errors(); -+ goto clean_exit; -+ } -+ } -+ } -+ -+ if (group == NULL) { -+ php_error_docref(NULL, E_WARNING, "Unknown curve name"); -+ goto clean_exit; -+ } -+ -+ // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y' -+ *is_private = false; -+ if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL && -+ Z_TYPE_P(bn) == IS_STRING) { -+ *is_private = true; -+ d = BN_bin2bn((unsigned char*) Z_STRVAL_P(bn), Z_STRLEN_P(bn), NULL); -+ if (!EC_KEY_set_private_key(eckey, d)) { -+ php_openssl_store_errors(); -+ goto clean_exit; -+ } -+ // Calculate the public key by multiplying the Point Q with the public key -+ // P = d * Q -+ pnt = EC_POINT_new(group); -+ if (!pnt || !EC_POINT_mul(group, pnt, d, NULL, NULL, NULL)) { -+ php_openssl_store_errors(); -+ goto clean_exit; -+ } -+ -+ BN_free(d); -+ } else if ((x = zend_hash_str_find(Z_ARRVAL_P(data), "x", sizeof("x") - 1)) != NULL && -+ Z_TYPE_P(x) == IS_STRING && -+ (y = zend_hash_str_find(Z_ARRVAL_P(data), "y", sizeof("y") - 1)) != NULL && -+ Z_TYPE_P(y) == IS_STRING) { -+ pnt = EC_POINT_new(group); -+ if (pnt == NULL) { -+ php_openssl_store_errors(); -+ goto clean_exit; -+ } -+ if (!EC_POINT_set_affine_coordinates_GFp( -+ group, pnt, BN_bin2bn((unsigned char*) Z_STRVAL_P(x), Z_STRLEN_P(x), NULL), -+ BN_bin2bn((unsigned char*) Z_STRVAL_P(y), Z_STRLEN_P(y), NULL), NULL)) { -+ php_openssl_store_errors(); -+ goto clean_exit; -+ } -+ } -+ -+ if (pnt != NULL) { -+ if (!EC_KEY_set_public_key(eckey, pnt)) { -+ php_openssl_store_errors(); -+ goto clean_exit; -+ } -+ EC_POINT_free(pnt); -+ pnt = NULL; -+ } -+ -+ if (!EC_KEY_check_key(eckey)) { -+ PHP_OPENSSL_RAND_ADD_TIME(); -+ EC_KEY_generate_key(eckey); -+ php_openssl_store_errors(); -+ } -+ if (EC_KEY_check_key(eckey)) { -+ return true; -+ } else { -+ php_openssl_store_errors(); -+ } -+ -+clean_exit: -+ BN_free(d); -+ EC_POINT_free(pnt); -+ EC_GROUP_free(group); -+ return false; -+} -+ -+static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { -+ EVP_PKEY *pkey = EVP_PKEY_new(); -+ if (!pkey) { -+ php_openssl_store_errors(); -+ return NULL; -+ } -+ -+ EC_KEY *ec = EC_KEY_new(); -+ if (!ec) { -+ EVP_PKEY_free(pkey); -+ return NULL; -+ } -+ -+ if (!php_openssl_pkey_init_legacy_ec(ec, data, is_private) -+ || !EVP_PKEY_assign_EC_KEY(pkey, ec)) { -+ php_openssl_store_errors(); -+ EVP_PKEY_free(pkey); -+ EC_KEY_free(ec); -+ return NULL; -+ } -+ -+ return pkey; -+} -+#endif -+ - /* {{{ Generates a new private key */ - PHP_FUNCTION(openssl_pkey_new) - { -@@ -4213,120 +4333,13 @@ PHP_FUNCTION(openssl_pkey_new) - #ifdef HAVE_EVP_PKEY_EC - } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "ec", sizeof("ec") - 1)) != NULL && - Z_TYPE_P(data) == IS_ARRAY) { -- EC_KEY *eckey = NULL; -- EC_GROUP *group = NULL; -- EC_POINT *pnt = NULL; -- BIGNUM *d = NULL; -- pkey = EVP_PKEY_new(); -- if (pkey) { -- eckey = EC_KEY_new(); -- if (eckey) { -- bool is_private = false; -- EC_GROUP *group = NULL; -- zval *bn; -- zval *x; -- zval *y; -- -- if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1)) != NULL && -- Z_TYPE_P(bn) == IS_STRING) { -- int nid = OBJ_sn2nid(Z_STRVAL_P(bn)); -- if (nid != NID_undef) { -- group = EC_GROUP_new_by_curve_name(nid); -- if (!group) { -- php_openssl_store_errors(); -- goto clean_exit; -- } -- EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); -- EC_GROUP_set_point_conversion_form(group, POINT_CONVERSION_UNCOMPRESSED); -- if (!EC_KEY_set_group(eckey, group)) { -- php_openssl_store_errors(); -- goto clean_exit; -- } -- } -- } -- -- if (group == NULL) { -- php_error_docref(NULL, E_WARNING, "Unknown curve name"); -- goto clean_exit; -- } -- -- // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y' -- if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL && -- Z_TYPE_P(bn) == IS_STRING) { -- is_private = true; -- d = BN_bin2bn((unsigned char*) Z_STRVAL_P(bn), Z_STRLEN_P(bn), NULL); -- if (!EC_KEY_set_private_key(eckey, d)) { -- php_openssl_store_errors(); -- goto clean_exit; -- } -- // Calculate the public key by multiplying the Point Q with the public key -- // P = d * Q -- pnt = EC_POINT_new(group); -- if (!pnt || !EC_POINT_mul(group, pnt, d, NULL, NULL, NULL)) { -- php_openssl_store_errors(); -- goto clean_exit; -- } -- -- BN_free(d); -- } else if ((x = zend_hash_str_find(Z_ARRVAL_P(data), "x", sizeof("x") - 1)) != NULL && -- Z_TYPE_P(x) == IS_STRING && -- (y = zend_hash_str_find(Z_ARRVAL_P(data), "y", sizeof("y") - 1)) != NULL && -- Z_TYPE_P(y) == IS_STRING) { -- pnt = EC_POINT_new(group); -- if (pnt == NULL) { -- php_openssl_store_errors(); -- goto clean_exit; -- } -- if (!EC_POINT_set_affine_coordinates_GFp( -- group, pnt, BN_bin2bn((unsigned char*) Z_STRVAL_P(x), Z_STRLEN_P(x), NULL), -- BN_bin2bn((unsigned char*) Z_STRVAL_P(y), Z_STRLEN_P(y), NULL), NULL)) { -- php_openssl_store_errors(); -- goto clean_exit; -- } -- } -- -- if (pnt != NULL) { -- if (!EC_KEY_set_public_key(eckey, pnt)) { -- php_openssl_store_errors(); -- goto clean_exit; -- } -- EC_POINT_free(pnt); -- pnt = NULL; -- } -- -- if (!EC_KEY_check_key(eckey)) { -- PHP_OPENSSL_RAND_ADD_TIME(); -- EC_KEY_generate_key(eckey); -- php_openssl_store_errors(); -- } -- if (EC_KEY_check_key(eckey) && EVP_PKEY_assign_EC_KEY(pkey, eckey)) { -- EC_GROUP_free(group); -- php_openssl_pkey_object_init(return_value, pkey, is_private); -- return; -- } else { -- php_openssl_store_errors(); -- } -- } else { -- php_openssl_store_errors(); -- } -- } else { -- php_openssl_store_errors(); -- } --clean_exit: -- if (d != NULL) { -- BN_free(d); -- } -- if (pnt != NULL) { -- EC_POINT_free(pnt); -- } -- if (group != NULL) { -- EC_GROUP_free(group); -- } -- if (eckey != NULL) { -- EC_KEY_free(eckey); -+ bool is_private; -+ pkey = php_openssl_pkey_init_ec(data, &is_private); -+ if (!pkey) { -+ RETURN_FALSE; - } -- EVP_PKEY_free(pkey); -- RETURN_FALSE; -+ php_openssl_pkey_object_init(return_value, pkey, is_private); -+ return; - #endif - } - } --- -2.31.1 - -From 0b12c49898ef390ce53e33490a842fd384de6902 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Mon, 9 Aug 2021 12:01:35 +0200 -Subject: [PATCH 29/39] Test calculation of EC public key from private key - -(cherry picked from commit 246698671f941b2034518ab04f35009b2da77bb1) ---- - ext/openssl/tests/ecc.phpt | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/ext/openssl/tests/ecc.phpt b/ext/openssl/tests/ecc.phpt -index 0a71393ae3..0b05410c2c 100644 ---- a/ext/openssl/tests/ecc.phpt -+++ b/ext/openssl/tests/ecc.phpt -@@ -33,6 +33,16 @@ $d2 = openssl_pkey_get_details($key2); - // Compare array - var_dump($d1 === $d2); - -+// Check that the public key info is computed from the private key if it is missing. -+$d1_priv = $d1; -+unset($d1_priv["ec"]["x"]); -+unset($d1_priv["ec"]["y"]); -+ -+$key3 = openssl_pkey_new($d1_priv); -+var_dump($key3); -+$d3 = openssl_pkey_get_details($key3); -+var_dump($d1 === $d3); -+ - $dn = array( - "countryName" => "BR", - "stateOrProvinceName" => "Rio Grande do Sul", -@@ -93,6 +103,9 @@ bool(true) - object(OpenSSLAsymmetricKey)#%d (0) { - } - bool(true) -+object(OpenSSLAsymmetricKey)#%d (0) { -+} -+bool(true) - Testing openssl_csr_new with key generation - NULL - object(OpenSSLAsymmetricKey)#%d (0) { --- -2.31.1 - -From 6b6b7c28dc81e106f6a1ef96d1f4bc43901764cf Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Mon, 9 Aug 2021 11:12:20 +0200 -Subject: [PATCH 30/39] Use param API for creating EC keys - -Rather than the deprecated low level APIs. - -(cherry picked from commit f9e701cde813fad4e1f647e63750c0b9bdeadb4e) ---- - ext/openssl/openssl.c | 96 +++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 96 insertions(+) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index a595101cf6..df057caa8b 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -4159,6 +4159,7 @@ cleanup: - } - - #ifdef HAVE_EVP_PKEY_EC -+#if PHP_OPENSSL_API_VERSION < 0x30000 - static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_private) { - EC_GROUP *group = NULL; - EC_POINT *pnt = NULL; -@@ -4236,6 +4237,7 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_ - } - - if (!EC_KEY_check_key(eckey)) { -+ *is_private = true; - PHP_OPENSSL_RAND_ADD_TIME(); - EC_KEY_generate_key(eckey); - php_openssl_store_errors(); -@@ -4252,8 +4254,101 @@ clean_exit: - EC_GROUP_free(group); - return false; - } -+#endif - - static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { -+#if PHP_OPENSSL_API_VERSION >= 0x30000 -+ BIGNUM *d = NULL, *x = NULL, *y = NULL; -+ EC_GROUP *group = NULL; -+ EC_POINT *pnt = NULL; -+ char *pnt_oct = NULL; -+ EVP_PKEY *param_key = NULL, *pkey = NULL; -+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); -+ OSSL_PARAM *params = NULL; -+ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); -+ zval *curve_name_zv = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1); -+ -+ OPENSSL_PKEY_SET_BN(data, d); -+ OPENSSL_PKEY_SET_BN(data, x); -+ OPENSSL_PKEY_SET_BN(data, y); -+ -+ if (!ctx || !bld || !curve_name_zv || Z_TYPE_P(curve_name_zv) != IS_STRING) { -+ goto cleanup; -+ } -+ -+ int nid = OBJ_sn2nid(Z_STRVAL_P(curve_name_zv)); -+ group = EC_GROUP_new_by_curve_name(nid); -+ if (!group) { -+ php_error_docref(NULL, E_WARNING, "Unknown curve name"); -+ goto cleanup; -+ } -+ -+ OSSL_PARAM_BLD_push_utf8_string( -+ bld, OSSL_PKEY_PARAM_GROUP_NAME, Z_STRVAL_P(curve_name_zv), Z_STRLEN_P(curve_name_zv)); -+ -+ if (d) { -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, d); -+ -+ pnt = EC_POINT_new(group); -+ if (!pnt || !EC_POINT_mul(group, pnt, d, NULL, NULL, NULL)) { -+ goto cleanup; -+ } -+ } else if (x && y) { -+ /* OpenSSL does not allow setting EC_PUB_X/EC_PUB_Y, so convert to encoded format. */ -+ pnt = EC_POINT_new(group); -+ if (!pnt || !EC_POINT_set_affine_coordinates(group, pnt, x, y, NULL)) { -+ goto cleanup; -+ } -+ } -+ -+ if (pnt) { -+ size_t pnt_oct_len = -+ EC_POINT_point2buf(group, pnt, POINT_CONVERSION_COMPRESSED, &pnt_oct, NULL); -+ if (!pnt_oct_len) { -+ goto cleanup; -+ } -+ -+ OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, pnt_oct, pnt_oct_len); -+ } -+ -+ params = OSSL_PARAM_BLD_to_param(bld); -+ if (!params) { -+ goto cleanup; -+ } -+ -+ if (EVP_PKEY_fromdata_init(ctx) <= 0 || -+ EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) { -+ goto cleanup; -+ } -+ -+ EVP_PKEY_CTX_free(ctx); -+ ctx = EVP_PKEY_CTX_new(param_key, NULL); -+ if (EVP_PKEY_check(ctx)) { -+ *is_private = d != NULL; -+ EVP_PKEY_up_ref(param_key); -+ pkey = param_key; -+ } else { -+ *is_private = true; -+ PHP_OPENSSL_RAND_ADD_TIME(); -+ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) { -+ goto cleanup; -+ } -+ } -+ -+cleanup: -+ php_openssl_store_errors(); -+ EVP_PKEY_free(param_key); -+ EVP_PKEY_CTX_free(ctx); -+ OSSL_PARAM_free(params); -+ OSSL_PARAM_BLD_free(bld); -+ EC_POINT_free(pnt); -+ EC_GROUP_free(group); -+ OPENSSL_free(pnt_oct); -+ BN_free(d); -+ BN_free(x); -+ BN_free(y); -+ return pkey; -+#else - EVP_PKEY *pkey = EVP_PKEY_new(); - if (!pkey) { - php_openssl_store_errors(); -@@ -4275,6 +4370,7 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { - } - - return pkey; -+#endif - } - #endif - --- -2.31.1 - -From ab4d43be04953eb75b37d532ac5fe42f0464f1be Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Mon, 9 Aug 2021 14:19:33 +0200 -Subject: [PATCH 31/39] Extract public key portion via PEM roundtrip - -The workaround with cloning the X509_REQ no longer works in -OpenSSL 3. Instead extract the public key portion by round -tripping through PEM. - -(cherry picked from commit 26a51e8d7a6026f6bd69813d044785d154a296a3) ---- - ext/openssl/openssl.c | 43 +++++++++++++++++++------------------------ - 1 file changed, 19 insertions(+), 24 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index df057caa8b..e86e99c73f 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -3430,49 +3430,44 @@ PHP_FUNCTION(openssl_csr_get_subject) - } - /* }}} */ - -+static EVP_PKEY *php_openssl_extract_public_key(EVP_PKEY *priv_key) -+{ -+ /* Extract public key portion by round-tripping through PEM. */ -+ BIO *bio = BIO_new(BIO_s_mem()); -+ if (!bio || !PEM_write_bio_PUBKEY(bio, priv_key)) { -+ BIO_free(bio); -+ return NULL; -+ } -+ -+ EVP_PKEY *pub_key = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL); -+ BIO_free(bio); -+ return pub_key; -+} -+ - /* {{{ Returns the subject of a CERT or FALSE on error */ - PHP_FUNCTION(openssl_csr_get_public_key) - { -- X509_REQ *orig_csr, *csr; - zend_object *csr_obj; - zend_string *csr_str; - zend_bool use_shortnames = 1; - -- EVP_PKEY *tpubkey; -- - ZEND_PARSE_PARAMETERS_START(1, 2) - Z_PARAM_OBJ_OF_CLASS_OR_STR(csr_obj, php_openssl_request_ce, csr_str) - Z_PARAM_OPTIONAL - Z_PARAM_BOOL(use_shortnames) - ZEND_PARSE_PARAMETERS_END(); - -- orig_csr = php_openssl_csr_from_param(csr_obj, csr_str); -- if (orig_csr == NULL) { -+ X509_REQ *csr = php_openssl_csr_from_param(csr_obj, csr_str); -+ if (csr == NULL) { - RETURN_FALSE; - } - --#if PHP_OPENSSL_API_VERSION >= 0x10100 -- /* Due to changes in OpenSSL 1.1 related to locking when decoding CSR, -- * the pub key is not changed after assigning. It means if we pass -- * a private key, it will be returned including the private part. -- * If we duplicate it, then we get just the public part which is -- * the same behavior as for OpenSSL 1.0 */ -- csr = X509_REQ_dup(orig_csr); --#else -- csr = orig_csr; --#endif -- - /* Retrieve the public key from the CSR */ -- tpubkey = X509_REQ_get_pubkey(csr); -- -- if (csr != orig_csr) { -- /* We need to free the duplicated CSR */ -- X509_REQ_free(csr); -- } -+ EVP_PKEY *tpubkey = php_openssl_extract_public_key(X509_REQ_get_pubkey(csr)); - - if (csr_str) { -- /* We also need to free the original CSR if it was freshly created */ -- X509_REQ_free(orig_csr); -+ /* We need to free the original CSR if it was freshly created */ -+ X509_REQ_free(csr); - } - - if (tpubkey == NULL) { --- -2.31.1 - -From 7939ffbdcc8d3358306653d7343f2b70204824f9 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Fri, 6 Aug 2021 12:08:07 +0200 -Subject: [PATCH 32/39] Use param API for openssl_pkey_get_details() - -Now that the DSA/DH/EC keys are not created using the legacy API, -we can fetch the details using the param API as well, and not -run into buggy priv_key handling. - -(cherry picked from commit 6db2c2dbe7a02055e2798e503ccde4b151b7cabf) ---- - ext/openssl/openssl.c | 123 ++++++++++++++++++++++++++++++++++++------ - 1 file changed, 106 insertions(+), 17 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index e86e99c73f..40f05da9f2 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -3788,17 +3788,17 @@ cleanup: - } - /* }}} */ - --#define OPENSSL_GET_BN(_array, _bn, _name) do { \ -- if (_bn != NULL) { \ -- int len = BN_num_bytes(_bn); \ -- zend_string *str = zend_string_alloc(len, 0); \ -- BN_bn2bin(_bn, (unsigned char*)ZSTR_VAL(str)); \ -- ZSTR_VAL(str)[len] = 0; \ -- add_assoc_str(&_array, #_name, str); \ -- } \ -- } while (0); -+static void php_openssl_add_bn_to_array(zval *ary, const BIGNUM *bn, const char *name) { -+ if (bn != NULL) { -+ int len = BN_num_bytes(bn); -+ zend_string *str = zend_string_alloc(len, 0); -+ BN_bn2bin(bn, (unsigned char *)ZSTR_VAL(str)); -+ ZSTR_VAL(str)[len] = 0; -+ add_assoc_str(ary, name, str); -+ } -+} - --#define OPENSSL_PKEY_GET_BN(_type, _name) OPENSSL_GET_BN(_type, _name, _name) -+#define OPENSSL_PKEY_GET_BN(_type, _name) php_openssl_add_bn_to_array(&_type, _name, #_name) - - #define OPENSSL_PKEY_SET_BN(_data, _name) do { \ - zval *bn; \ -@@ -4639,12 +4639,34 @@ PHP_FUNCTION(openssl_pkey_get_private) - - /* }}} */ - -+#if PHP_OPENSSL_API_VERSION >= 0x30000 -+static void php_openssl_copy_bn_param( -+ zval *ary, EVP_PKEY *pkey, const char *param, const char *name) { -+ BIGNUM *bn = NULL; -+ if (EVP_PKEY_get_bn_param(pkey, param, &bn) > 0) { -+ php_openssl_add_bn_to_array(ary, bn, name); -+ BN_free(bn); -+ } -+} -+ -+static zend_string *php_openssl_get_utf8_param( -+ EVP_PKEY *pkey, const char *param, const char *name) { -+ char buf[64]; -+ size_t len; -+ if (EVP_PKEY_get_utf8_string_param(pkey, param, buf, sizeof(buf), &len) > 0) { -+ zend_string *str = zend_string_alloc(len, 0); -+ memcpy(ZSTR_VAL(str), buf, len); -+ ZSTR_VAL(str)[len] = '\0'; -+ return str; -+ } -+ return NULL; -+} -+#endif -+ - /* {{{ returns an array with the key details (bits, pkey, type)*/ - PHP_FUNCTION(openssl_pkey_get_details) - { - zval *key; -- EVP_PKEY *pkey; -- BIO *out; - unsigned int pbio_len; - char *pbio; - zend_long ktype; -@@ -4653,9 +4675,9 @@ PHP_FUNCTION(openssl_pkey_get_details) - RETURN_THROWS(); - } - -- pkey = Z_OPENSSL_PKEY_P(key)->pkey; -+ EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey; - -- out = BIO_new(BIO_s_mem()); -+ BIO *out = BIO_new(BIO_s_mem()); - if (!PEM_write_bio_PUBKEY(out, pkey)) { - BIO_free(out); - php_openssl_store_errors(); -@@ -4669,6 +4691,72 @@ PHP_FUNCTION(openssl_pkey_get_details) - /*TODO: Use the real values once the openssl constants are used - * See the enum at the top of this file - */ -+#if PHP_OPENSSL_API_VERSION >= 0x30000 -+ zval ary; -+ switch (EVP_PKEY_base_id(pkey)) { -+ case EVP_PKEY_RSA: -+ ktype = OPENSSL_KEYTYPE_RSA; -+ array_init(&ary); -+ add_assoc_zval(return_value, "rsa", &ary); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_N, "n"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_E, "e"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_D, "d"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, "p"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, "q"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, "dmp1"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, "dmq1"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, "iqmp"); -+ break; -+ case EVP_PKEY_DSA: -+ ktype = OPENSSL_KEYTYPE_DSA; -+ array_init(&ary); -+ add_assoc_zval(return_value, "dsa", &ary); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_P, "p"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_Q, "q"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_G, "g"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "priv_key"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PUB_KEY, "pub_key"); -+ break; -+ case EVP_PKEY_DH: -+ ktype = OPENSSL_KEYTYPE_DH; -+ array_init(&ary); -+ add_assoc_zval(return_value, "dh", &ary); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_P, "p"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_G, "g"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "priv_key"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PUB_KEY, "pub_key"); -+ break; -+ case EVP_PKEY_EC: { -+ ktype = OPENSSL_KEYTYPE_EC; -+ array_init(&ary); -+ add_assoc_zval(return_value, "ec", &ary); -+ -+ zend_string *curve_name = php_openssl_get_utf8_param( -+ pkey, OSSL_PKEY_PARAM_GROUP_NAME, "curve_name"); -+ if (curve_name) { -+ add_assoc_str(&ary, "curve_name", curve_name); -+ -+ int nid = OBJ_sn2nid(ZSTR_VAL(curve_name)); -+ if (nid != NID_undef) { -+ ASN1_OBJECT *obj = OBJ_nid2obj(nid); -+ if (obj) { -+ // OpenSSL recommends a buffer length of 80. -+ char oir_buf[80]; -+ int oir_len = OBJ_obj2txt(oir_buf, sizeof(oir_buf), obj, 1); -+ add_assoc_stringl(&ary, "curve_oid", oir_buf, oir_len); -+ ASN1_OBJECT_free(obj); -+ } -+ } -+ } -+ -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_EC_PUB_X, "x"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_EC_PUB_Y, "y"); -+ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "d"); -+ break; -+ } -+ EMPTY_SWITCH_DEFAULT_CASE(); -+ } -+#else - switch (EVP_PKEY_base_id(pkey)) { - case EVP_PKEY_RSA: - case EVP_PKEY_RSA2: -@@ -4785,14 +4873,14 @@ PHP_FUNCTION(openssl_pkey_get_details) - pub = EC_KEY_get0_public_key(ec_key); - - if (EC_POINT_get_affine_coordinates_GFp(ec_group, pub, x, y, NULL)) { -- OPENSSL_GET_BN(ec, x, x); -- OPENSSL_GET_BN(ec, y, y); -+ php_openssl_add_bn_to_array(&ec, x, "x"); -+ php_openssl_add_bn_to_array(&ec, y, "y"); - } else { - php_openssl_store_errors(); - } - - if ((d = EC_KEY_get0_private_key(EVP_PKEY_get0_EC_KEY(pkey))) != NULL) { -- OPENSSL_GET_BN(ec, d, d); -+ php_openssl_add_bn_to_array(&ec, d, "d"); - } - - add_assoc_zval(return_value, "ec", &ec); -@@ -4806,6 +4894,7 @@ PHP_FUNCTION(openssl_pkey_get_details) - ktype = -1; - break; - } -+#endif - add_assoc_long(return_value, "type", ktype); - - BIO_free(out); --- -2.31.1 - -From 35012d2b29254b806e5f376817d22f6c3bab136d Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Mon, 9 Aug 2021 14:34:12 +0200 -Subject: [PATCH 33/39] Add missing unsigned qualifier - -This previously got lost in the deprecation warning noise. - -(cherry picked from commit ff2a39e6fcbd9a3bd7f411168b19711a4be9a2a4) ---- - ext/openssl/openssl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 40f05da9f2..856d7fc4af 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -4256,7 +4256,7 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { - BIGNUM *d = NULL, *x = NULL, *y = NULL; - EC_GROUP *group = NULL; - EC_POINT *pnt = NULL; -- char *pnt_oct = NULL; -+ unsigned char *pnt_oct = NULL; - EVP_PKEY *param_key = NULL, *pkey = NULL; - EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); - OSSL_PARAM *params = NULL; --- -2.31.1 - -From c34296faadc0a9e15e4ca960d573cdf3aabd8742 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Mon, 9 Aug 2021 14:47:43 +0200 -Subject: [PATCH 34/39] Use param API to create RSA key - -Instead of deprecated low-level API. - -A caveat here is that when using the high-level API, OpenSSL 3 -requires that if the prime factors are set, the CRT parameters -are also set. See https://github.com/openssl/openssl/issues/16271. - -As such, add CRT parameters to the manual construction test. - -This fixes the last deprecation warnings in openssl.c, but there -are more elsewhere. - -(cherry picked from commit 3724b49aa953fadc365c27e64fba2266d7f6d16b) ---- - ext/openssl/openssl.c | 121 +++++++++++++++--- - ext/openssl/tests/openssl_pkey_new_basic.phpt | 16 +++ - 2 files changed, 116 insertions(+), 21 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 856d7fc4af..9e31f76998 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -3812,8 +3812,8 @@ static void php_openssl_add_bn_to_array(zval *ary, const BIGNUM *bn, const char - } \ - } while (0); - --/* {{{ php_openssl_pkey_init_rsa */ --static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, zval *data) -+#if PHP_OPENSSL_API_VERSION < 0x30000 -+static zend_bool php_openssl_pkey_init_legacy_rsa(RSA *rsa, zval *data) - { - BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; - -@@ -3837,12 +3837,102 @@ static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, - return 0; - } - -- if (!EVP_PKEY_assign_RSA(pkey, rsa)) { -+ return 1; -+} -+#endif -+ -+static EVP_PKEY *php_openssl_pkey_init_rsa(zval *data) -+{ -+#if PHP_OPENSSL_API_VERSION >= 0x30000 -+ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL; -+ BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; -+ EVP_PKEY *pkey = NULL; -+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); -+ OSSL_PARAM *params = NULL; -+ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); -+ -+ OPENSSL_PKEY_SET_BN(data, n); -+ OPENSSL_PKEY_SET_BN(data, e); -+ OPENSSL_PKEY_SET_BN(data, d); -+ OPENSSL_PKEY_SET_BN(data, p); -+ OPENSSL_PKEY_SET_BN(data, q); -+ OPENSSL_PKEY_SET_BN(data, dmp1); -+ OPENSSL_PKEY_SET_BN(data, dmq1); -+ OPENSSL_PKEY_SET_BN(data, iqmp); -+ -+ if (!ctx || !bld || !n || !d) { -+ goto cleanup; -+ } -+ -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n); -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d); -+ if (e) { -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e); -+ } -+ if (p) { -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR1, p); -+ } -+ if (q) { -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR2, q); -+ } -+ if (dmp1) { -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1); -+ } -+ if (dmq1) { -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1); -+ } -+ if (iqmp) { -+ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp); -+ } -+ -+ params = OSSL_PARAM_BLD_to_param(bld); -+ if (!params) { -+ goto cleanup; -+ } -+ -+ if (EVP_PKEY_fromdata_init(ctx) <= 0 || -+ EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) { -+ goto cleanup; -+ } -+ -+cleanup: -+ php_openssl_store_errors(); -+ EVP_PKEY_CTX_free(ctx); -+ OSSL_PARAM_free(params); -+ OSSL_PARAM_BLD_free(bld); -+ BN_free(n); -+ BN_free(e); -+ BN_free(d); -+ BN_free(p); -+ BN_free(q); -+ BN_free(dmp1); -+ BN_free(dmq1); -+ BN_free(iqmp); -+ return pkey; -+#else -+ EVP_PKEY *pkey = EVP_PKEY_new(); -+ if (!pkey) { - php_openssl_store_errors(); -- return 0; -+ return NULL; - } - -- return 1; -+ RSA *rsa = RSA_new(); -+ if (!rsa) { -+ php_openssl_store_errors(); -+ EVP_PKEY_free(pkey); -+ return NULL; -+ } -+ -+ if (!php_openssl_pkey_init_legacy_rsa(rsa, data) -+ || !EVP_PKEY_assign_RSA(pkey, rsa)) { -+ php_openssl_store_errors(); -+ EVP_PKEY_free(pkey); -+ RSA_free(rsa); -+ return NULL; -+ } -+ -+ return pkey; -+#endif - } - - #if PHP_OPENSSL_API_VERSION < 0x30000 -@@ -4386,23 +4476,12 @@ PHP_FUNCTION(openssl_pkey_new) - - if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "rsa", sizeof("rsa")-1)) != NULL && - Z_TYPE_P(data) == IS_ARRAY) { -- pkey = EVP_PKEY_new(); -- if (pkey) { -- RSA *rsa = RSA_new(); -- if (rsa) { -- if (php_openssl_pkey_init_and_assign_rsa(pkey, rsa, data)) { -- php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true); -- return; -- } -- RSA_free(rsa); -- } else { -- php_openssl_store_errors(); -- } -- EVP_PKEY_free(pkey); -- } else { -- php_openssl_store_errors(); -+ pkey = php_openssl_pkey_init_rsa(data); -+ if (!pkey) { -+ RETURN_FALSE; - } -- RETURN_FALSE; -+ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true); -+ return; - } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dsa", sizeof("dsa") - 1)) != NULL && - Z_TYPE_P(data) == IS_ARRAY) { - bool is_private; -diff --git a/ext/openssl/tests/openssl_pkey_new_basic.phpt b/ext/openssl/tests/openssl_pkey_new_basic.phpt -index b2c37f6a87..08c9660f22 100644 ---- a/ext/openssl/tests/openssl_pkey_new_basic.phpt -+++ b/ext/openssl/tests/openssl_pkey_new_basic.phpt -@@ -26,6 +26,11 @@ $phex = "EECFAE81B1B9B3C908810B10A1B5600199EB9F44AEF4FDA493B81A9E3D84F632" . - $qhex = "C97FB1F027F453F6341233EAAAD1D9353F6C42D08866B1D05A0F2035028B9D86" . - "9840B41666B42E92EA0DA3B43204B5CFCE3352524D0416A5A441E700AF461503"; - -+$dphex = "11"; -+$dqhex = "11"; -+$qinvhex = "b06c4fdabb6301198d265bdbae9423b380f271f73453885093077fcd39e2119f" . -+ "c98632154f5883b167a967bf402b4e9e2e0f9656e698ea3666edfb25798039f7"; -+ - $rsa= openssl_pkey_new(array( - 'rsa' => array( - 'n' => hex2bin($nhex), -@@ -33,6 +38,9 @@ $rsa= openssl_pkey_new(array( - 'd' => hex2bin($dhex), - 'p' => hex2bin($phex), - 'q' => hex2bin($qhex), -+ 'dmp1' => hex2bin($dphex), -+ 'dmq1' => hex2bin($dqhex), -+ 'iqmp' => hex2bin($qinvhex), - ) - )); - $details = openssl_pkey_get_details($rsa); -@@ -42,6 +50,10 @@ openssl_pkey_test_cmp($ehex, $rsa_details['e']); - openssl_pkey_test_cmp($dhex, $rsa_details['d']); - openssl_pkey_test_cmp($phex, $rsa_details['p']); - openssl_pkey_test_cmp($qhex, $rsa_details['q']); -+openssl_pkey_test_cmp($dphex, $rsa_details['dmp1']); -+openssl_pkey_test_cmp($dqhex, $rsa_details['dmq1']); -+openssl_pkey_test_cmp($qinvhex, $rsa_details['iqmp']); -+echo "\n"; - - // DSA - $phex = '00f8000ae45b2dacb47dd977d58b719d097bdf07cb2c17660ad898518c08' . -@@ -95,6 +107,10 @@ int(0) - int(0) - int(0) - int(0) -+int(0) -+int(0) -+int(0) -+ - int(0) - int(0) - int(0) --- -2.31.1 - -From b32adee0fe39c9d0fb981fc7cfe1892c225ba1c3 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Tue, 10 Aug 2021 11:50:18 +0200 -Subject: [PATCH 35/39] Fork openssl_error_string() test for OpenSSL - -The used error code differ signficantly, so use a separate test -file. - -openssl_encrypt() no longer throws an error for invalid key length, -which looks like an upstream bug. - -(cherry picked from commit e5f53e1ca13bfe8abd0f6037c98b59d2dac5744f) ---- - .../tests/openssl_error_string_basic.phpt | 7 +- - .../openssl_error_string_basic_openssl3.phpt | 183 ++++++++++++++++++ - 2 files changed, 188 insertions(+), 2 deletions(-) - create mode 100644 ext/openssl/tests/openssl_error_string_basic_openssl3.phpt - -diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt -index f3eb82067b..aee84b3fab 100644 ---- a/ext/openssl/tests/openssl_error_string_basic.phpt -+++ b/ext/openssl/tests/openssl_error_string_basic.phpt -@@ -1,7 +1,10 @@ - --TEST-- --openssl_error_string() tests -+openssl_error_string() tests (OpenSSL < 3.0) - --SKIPIF-- -- -+= 0x30000000) die('skip For OpenSSL < 3.0'); -+?> - --FILE-- - = 3.0) -+--EXTENSIONS-- -+openssl -+--SKIPIF-- -+= 3.0'); -+?> -+--FILE-- -+ 0) { -+ $error_code = $m[1]; -+ if (isset($expected_errors[$error_code])) { -+ $expected_errors[$error_code] = true; -+ } -+ $all_errors[$error_code] = $error_string; -+ } else { -+ $all_errors[] = $error_string; -+ } -+ } -+ -+ $fail = false; -+ foreach ($expected_errors as $error_code => $error_code_found) { -+ if (!$error_code_found) { -+ $fail = true; -+ echo "$name: no error code $error_code\n"; -+ } -+ } -+ -+ if (!$fail) { -+ echo "$name: ok\n"; -+ } else { -+ echo "$name: uncaught errors\n"; -+ foreach ($all_errors as $code => $str) { -+ if (!isset($expected_errors[$code]) || !$expected_errors[$code]) { -+ echo "\t", $code, ": ", $str, "\n"; -+ } -+ } -+ } -+} -+ -+// helper for debugging errors -+function dump_openssl_errors($name) { -+ echo "\n$name\n"; -+ while (($error_string = openssl_error_string()) !== false) { -+ var_dump($error_string); -+ } -+} -+ -+// common output file -+$output_file = __DIR__ . "/openssl_error_string_basic_output.tmp"; -+// invalid file for read is something that does not exist in current directory -+$invalid_file_for_read = __DIR__ . "/invalid_file_for_read_operation.txt"; -+// invalid file for is the test dir as writing file to existing dir should always fail -+$invalid_file_for_write = __DIR__; -+// crt file -+$crt_file = "file://" . __DIR__ . "/cert.crt"; -+// csr file -+$csr_file = "file://" . __DIR__ . "/cert.csr"; -+// public key file -+$public_key_file = "file://" .__DIR__ . "/public.key"; -+// private key file -+$private_key_file = "file://" .__DIR__ . "/private_rsa_1024.key"; -+// private key file with password (password is 'php') -+$private_key_file_with_pass = "file://" .__DIR__ . "/private_rsa_2048_pass_php.key"; -+ -+// ENCRYPTION -+$data = "test"; -+$method = "AES-128-ECB"; -+$enc_key = str_repeat('x', 40); -+// error because password is longer then key length and -+// EVP_CIPHER_CTX_set_key_length fails for AES -+if (0) { -+// TODO: This no longer errors! -+openssl_encrypt($data, $method, $enc_key); -+$enc_error = openssl_error_string(); -+var_dump($enc_error); -+// make sure that error is cleared now -+var_dump(openssl_error_string()); -+// internally OpenSSL ERR won't save more than 15 (16 - 1) errors so lets test it -+for ($i = 0; $i < 20; $i++) { -+ openssl_encrypt($data, $method, $enc_key); -+} -+$error_queue_size = 0; -+while (($enc_error_new = openssl_error_string()) !== false) { -+ if ($enc_error_new !== $enc_error) { -+ echo "The new encoding error doesn't match the expected one\n"; -+ } -+ ++$error_queue_size; -+} -+var_dump($error_queue_size); -+echo "\n"; -+} -+ -+$err_pem_no_start_line = '0480006C'; -+ -+// PKEY -+echo "PKEY errors\n"; -+// file for pkey (file:///) fails when opennig (BIO_new_file) -+@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file); -+expect_openssl_errors('openssl_pkey_export_to_file opening', ['10000080']); -+// file or private pkey is not correct PEM - failing PEM_read_bio_PrivateKey -+@openssl_pkey_export_to_file($csr_file, $output_file); -+expect_openssl_errors('openssl_pkey_export_to_file pem', ['1E08010C']); -+// file to export cannot be written -+@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write); -+expect_openssl_errors('openssl_pkey_export_to_file write', ['10080002']); -+// successful export -+@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd'); -+expect_openssl_errors('openssl_pkey_export', ['1C800064', '04800065']); -+// invalid x509 for getting public key -+@openssl_pkey_get_public($private_key_file); -+expect_openssl_errors('openssl_pkey_get_public', [$err_pem_no_start_line]); -+// private encrypt with unknown padding -+@openssl_private_encrypt("data", $crypted, $private_key_file, 1000); -+expect_openssl_errors('openssl_private_encrypt', ['1C8000A5']); -+// private decrypt with failed padding check -+@openssl_private_decrypt("data", $crypted, $private_key_file); -+expect_openssl_errors('openssl_private_decrypt', ['0200009F', '02000072']); -+// public encrypt and decrypt with failed padding check and padding -+@openssl_public_encrypt("data", $crypted, $public_key_file, 1000); -+@openssl_public_decrypt("data", $crypted, $public_key_file); -+expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '02000076', '0200008A', '02000072', '1C880004']); -+ -+// X509 -+echo "X509 errors\n"; -+// file for x509 (file:///) fails when opennig (BIO_new_file) -+@openssl_x509_export_to_file("file://" . $invalid_file_for_read, $output_file); -+expect_openssl_errors('openssl_x509_export_to_file open', ['10000080']); -+// file or str cert is not correct PEM - failing PEM_read_bio_X509 or PEM_ASN1_read_bio -+@openssl_x509_export_to_file($csr_file, $output_file); -+expect_openssl_errors('openssl_x509_export_to_file pem', [$err_pem_no_start_line]); -+// file to export cannot be written -+@openssl_x509_export_to_file($crt_file, $invalid_file_for_write); -+expect_openssl_errors('openssl_x509_export_to_file write', ['10080002']); -+// checking purpose fails because there is no such purpose 1000 -+@openssl_x509_checkpurpose($crt_file, 1000); -+expect_openssl_errors('openssl_x509_checkpurpose purpose', ['05800079']); -+ -+// CSR -+echo "CSR errors\n"; -+// file for csr (file:///) fails when opennig (BIO_new_file) -+@openssl_csr_get_subject("file://" . $invalid_file_for_read); -+expect_openssl_errors('openssl_csr_get_subject open', ['10000080']); -+// file or str csr is not correct PEM - failing PEM_read_bio_X509_REQ -+@openssl_csr_get_subject($crt_file); -+expect_openssl_errors('openssl_csr_get_subjec pem', [$err_pem_no_start_line]); -+ -+// other possible causes that are difficult to catch: -+// - ASN1_STRING_to_UTF8 fails in add_assoc_name_entry -+// - invalid php_x509_request field (NULL) would cause error with CONF_get_string -+ -+?> -+--CLEAN-- -+ -+--EXPECT-- -+PKEY errors -+openssl_pkey_export_to_file opening: ok -+openssl_pkey_export_to_file pem: ok -+openssl_pkey_export_to_file write: ok -+openssl_pkey_export: ok -+openssl_pkey_get_public: ok -+openssl_private_encrypt: ok -+openssl_private_decrypt: ok -+openssl_private_(en|de)crypt padding: ok -+X509 errors -+openssl_x509_export_to_file open: ok -+openssl_x509_export_to_file pem: ok -+openssl_x509_export_to_file write: ok -+openssl_x509_checkpurpose purpose: ok -+CSR errors -+openssl_csr_get_subject open: ok -+openssl_csr_get_subjec pem: ok --- -2.31.1 - -From f99d70f7d8d660c2ded4f8f1700771c227987021 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Tue, 10 Aug 2021 12:17:17 +0200 -Subject: [PATCH 36/39] Switch dh_param handling to EVP_PKEY API - -(cherry picked from commit ef787bae242fdd2e72625bbce6ab4ca466b1ef59) ---- - ext/openssl/xp_ssl.c | 26 +++++++++++++++++++------- - 1 file changed, 19 insertions(+), 7 deletions(-) - -diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c -index 206543ca82..b61234943e 100644 ---- a/ext/openssl/xp_ssl.c -+++ b/ext/openssl/xp_ssl.c -@@ -1197,11 +1197,7 @@ static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength) - - static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* {{{ */ - { -- DH *dh; -- BIO* bio; -- zval *zdhpath; -- -- zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param"); -+ zval *zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param"); - if (zdhpath == NULL) { - #if 0 - /* Coming in OpenSSL 1.1 ... eventually we'll want to enable this -@@ -1216,14 +1212,29 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* - return FAILURE; - } - -- bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY)); -+ BIO *bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY)); - - if (bio == NULL) { - php_error_docref(NULL, E_WARNING, "Invalid dh_param"); - return FAILURE; - } - -- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); -+#if PHP_OPENSSL_API_VERSION >= 0x30000 -+ EVP_PKEY *pkey = PEM_read_bio_Parameters(bio, NULL); -+ BIO_free(bio); -+ -+ if (pkey == NULL) { -+ php_error_docref(NULL, E_WARNING, "Failed reading DH params"); -+ return FAILURE; -+ } -+ -+ if (SSL_CTX_set0_tmp_dh_pkey(ctx, pkey) < 0) { -+ php_error_docref(NULL, E_WARNING, "Failed assigning DH params"); -+ EVP_PKEY_free(pkey); -+ return FAILURE; -+ } -+#else -+ DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); - BIO_free(bio); - - if (dh == NULL) { -@@ -1238,6 +1249,7 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* - } - - DH_free(dh); -+#endif - - return SUCCESS; - } --- -2.31.1 - -From b3deb9b38d4a52b4582f40d4d32240353db26653 Mon Sep 17 00:00:00 2001 -From: Nikita Popov -Date: Wed, 11 Aug 2021 10:11:12 +0200 -Subject: [PATCH 37/39] Fix openssl memory leaks - -Some leaks that snuck in during refactorings. - -(cherry picked from commit 7d2a2c7dc0447c81316d14f3a43a4b6a8ce0b982) ---- - ext/openssl/openssl.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 9e31f76998..d8102bd4bc 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -3463,7 +3463,9 @@ PHP_FUNCTION(openssl_csr_get_public_key) - } - - /* Retrieve the public key from the CSR */ -- EVP_PKEY *tpubkey = php_openssl_extract_public_key(X509_REQ_get_pubkey(csr)); -+ EVP_PKEY *orig_key = X509_REQ_get_pubkey(csr); -+ EVP_PKEY *tpubkey = php_openssl_extract_public_key(orig_key); -+ EVP_PKEY_free(orig_key); - - if (csr_str) { - /* We need to free the original CSR if it was freshly created */ -@@ -4328,6 +4330,7 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_ - php_openssl_store_errors(); - } - if (EC_KEY_check_key(eckey)) { -+ EC_GROUP_free(group); - return true; - } else { - php_openssl_store_errors(); --- -2.31.1 - -From 02f08ac888b0c5f43468eaf76b59b29a7c2d7c74 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Fri, 10 Sep 2021 11:28:20 +0200 -Subject: [PATCH 38/39] fix [-Wmaybe-uninitialized] build warnings - -(cherry picked from commit 6ee96f095ad947ffc820437b2e9e6449000e18a2) ---- - ext/openssl/openssl.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index d8102bd4bc..40e6e7ba97 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -3991,6 +3991,8 @@ static EVP_PKEY *php_openssl_pkey_init_dsa(zval *data, bool *is_private) - OPENSSL_PKEY_SET_BN(data, priv_key); - OPENSSL_PKEY_SET_BN(data, pub_key); - -+ *is_private = false; -+ - if (!ctx || !bld || !p || !q || !g) { - goto cleanup; - } -@@ -4162,6 +4164,8 @@ static EVP_PKEY *php_openssl_pkey_init_dh(zval *data, bool *is_private) - OPENSSL_PKEY_SET_BN(data, priv_key); - OPENSSL_PKEY_SET_BN(data, pub_key); - -+ *is_private = false; -+ - if (!ctx || !bld || !p || !g) { - goto cleanup; - } -@@ -4255,6 +4259,8 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_ - zval *x; - zval *y; - -+ *is_private = false; -+ - if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1)) != NULL && - Z_TYPE_P(bn) == IS_STRING) { - int nid = OBJ_sn2nid(Z_STRVAL_P(bn)); -@@ -4279,7 +4285,6 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_ - } - - // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y' -- *is_private = false; - if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL && - Z_TYPE_P(bn) == IS_STRING) { - *is_private = true; -@@ -4360,6 +4365,8 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { - OPENSSL_PKEY_SET_BN(data, x); - OPENSSL_PKEY_SET_BN(data, y); - -+ *is_private = false; -+ - if (!ctx || !bld || !curve_name_zv || Z_TYPE_P(curve_name_zv) != IS_STRING) { - goto cleanup; - } --- -2.31.1 - -From b881c41d32928781cb48013692da04fc84ca9107 Mon Sep 17 00:00:00 2001 -From: Jakub Zelenka -Date: Sun, 12 Sep 2021 20:30:02 +0100 -Subject: [PATCH 39/39] Make OpenSSL tests less dependent on system config - -It fixes dependencies on system config if running tests with OpenSSL 3.0 - -(cherry picked from commit 43f0141d74c1db6e792f3b625ea7f4ae57ff338f) ---- - ext/openssl/tests/bug52093.phpt | 6 +++--- - ext/openssl/tests/bug72165.phpt | 5 +++-- - ext/openssl/tests/bug73711.phpt | 3 +++ - ext/openssl/tests/ecc.phpt | 3 +++ - .../tests/openssl_error_string_basic_openssl3.phpt | 9 +++++---- - 5 files changed, 17 insertions(+), 9 deletions(-) - -diff --git a/ext/openssl/tests/bug52093.phpt b/ext/openssl/tests/bug52093.phpt -index 63eaceb5ac..162945f914 100644 ---- a/ext/openssl/tests/bug52093.phpt -+++ b/ext/openssl/tests/bug52093.phpt -@@ -14,10 +14,10 @@ $dn = array( - "commonName" => "Henrique do N. Angelo", - "emailAddress" => "hnangelo@php.net" - ); -- -+$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf']; - $privkey = openssl_pkey_new(); --$csr = openssl_csr_new($dn, $privkey); --$cert = openssl_csr_sign($csr, null, $privkey, 365, [], PHP_INT_MAX); -+$csr = openssl_csr_new($dn, $privkey, $options); -+$cert = openssl_csr_sign($csr, null, $privkey, 365, $options, PHP_INT_MAX); - var_dump(openssl_x509_parse($cert)['serialNumber']); - ?> - --EXPECT-- -diff --git a/ext/openssl/tests/bug72165.phpt b/ext/openssl/tests/bug72165.phpt -index 50e8b54100..fb78881fc3 100644 ---- a/ext/openssl/tests/bug72165.phpt -+++ b/ext/openssl/tests/bug72165.phpt -@@ -6,8 +6,9 @@ if (!extension_loaded("openssl")) die("skip"); - ?> - --FILE-- - "hello", 1 => "world"); --$var2 = openssl_csr_new(array(0),$var0,null,array(0)); -+$var0 = [0 => "hello", 1 => "world"]; -+$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf']; -+$var2 = openssl_csr_new([0], $var0, $options, [0]); - ?> - --EXPECTF-- - Warning: openssl_csr_new(): dn: numeric fild names are not supported in %sbug72165.php on line %d -diff --git a/ext/openssl/tests/bug73711.phpt b/ext/openssl/tests/bug73711.phpt -index 4e4bba8aa8..8ca0101d1a 100644 ---- a/ext/openssl/tests/bug73711.phpt -+++ b/ext/openssl/tests/bug73711.phpt -@@ -6,13 +6,16 @@ if (!extension_loaded("openssl")) die("skip openssl not loaded"); - ?> - --FILE-- - OPENSSL_KEYTYPE_DSA, - "private_key_bits" => 1024, -+ 'config' => $config, - ])); - var_dump(openssl_pkey_new([ - "private_key_type" => OPENSSL_KEYTYPE_DH, - "private_key_bits" => 512, -+ 'config' => $config, - ])); - echo "DONE"; - ?> -diff --git a/ext/openssl/tests/ecc.phpt b/ext/openssl/tests/ecc.phpt -index 0b05410c2c..1d97b1450a 100644 ---- a/ext/openssl/tests/ecc.phpt -+++ b/ext/openssl/tests/ecc.phpt -@@ -4,9 +4,11 @@ openssl_*() with OPENSSL_KEYTYPE_EC - - --FILE-- - "secp384r1", - "private_key_type" => OPENSSL_KEYTYPE_EC, -+ "config" => $config, - ); - echo "Testing openssl_pkey_new\n"; - $key1 = openssl_pkey_new($args); -@@ -15,6 +17,7 @@ var_dump($key1); - $argsFailed = array( - "curve_name" => "invalid_cuve_name", - "private_key_type" => OPENSSL_KEYTYPE_EC, -+ "config" => $config, - ); - - $keyFailed = openssl_pkey_new($argsFailed); -diff --git a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt -index b119346fe1..d435a53e30 100644 ---- a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt -+++ b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt -@@ -100,18 +100,19 @@ echo "\n"; - $err_pem_no_start_line = '0480006C'; - - // PKEY -+$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf']; - echo "PKEY errors\n"; - // file for pkey (file:///) fails when opennig (BIO_new_file) --@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file); -+@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file, null, $options); - expect_openssl_errors('openssl_pkey_export_to_file opening', ['10000080']); - // file or private pkey is not correct PEM - failing PEM_read_bio_PrivateKey --@openssl_pkey_export_to_file($csr_file, $output_file); -+@openssl_pkey_export_to_file($csr_file, $output_file, null, $options); - expect_openssl_errors('openssl_pkey_export_to_file pem', ['1E08010C']); - // file to export cannot be written --@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write); -+@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write, null, $options); - expect_openssl_errors('openssl_pkey_export_to_file write', ['10080002']); - // successful export --@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd'); -+@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd', $options); - expect_openssl_errors('openssl_pkey_export', ['1C800064', '04800065']); - // invalid x509 for getting public key - @openssl_pkey_get_public($private_key_file); --- -2.31.1 - diff --git a/php-8.0.10-phar-sha.patch b/php-8.0.10-phar-sha.patch deleted file mode 100644 index 7d6fa2c..0000000 --- a/php-8.0.10-phar-sha.patch +++ /dev/null @@ -1,515 +0,0 @@ -Backported for 8.0 from - - -From 8bb0c74e24359a11216824117ac3adf3d5ef7b71 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Thu, 5 Aug 2021 11:10:15 +0200 -Subject: [PATCH] switch phar to use sha256 signature by default - ---- - ext/phar/phar/pharcommand.inc | 2 +- - ext/phar/tests/create_new_and_modify.phpt | 4 ++-- - ext/phar/tests/create_new_phar_c.phpt | 4 ++-- - ext/phar/tests/phar_setsignaturealgo2.phpt | 2 +- - ext/phar/tests/tar/phar_setsignaturealgo2.phpt | 2 +- - ext/phar/tests/zip/phar_setsignaturealgo2.phpt | 2 +- - ext/phar/util.c | 6 +++--- - ext/phar/zip.c | 2 +- - 8 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/ext/phar/phar/pharcommand.inc b/ext/phar/phar/pharcommand.inc -index a31290eee75fe..5f698b4bec26b 100644 ---- a/ext/phar/phar/pharcommand.inc -+++ b/ext/phar/phar/pharcommand.inc -@@ -92,7 +92,7 @@ class PharCommand extends CLICommand - 'typ' => 'select', - 'val' => NULL, - 'inf' => ' Selects the hash algorithm.', -- 'select' => array('md5' => 'MD5','sha1' => 'SHA1') -+ 'select' => array('md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL') - ), - 'i' => array( - 'typ' => 'regex', -diff --git a/ext/phar/tests/create_new_and_modify.phpt b/ext/phar/tests/create_new_and_modify.phpt -index 02e36c6cea2fe..32defcae8a639 100644 ---- a/ext/phar/tests/create_new_and_modify.phpt -+++ b/ext/phar/tests/create_new_and_modify.phpt -@@ -49,8 +49,8 @@ include $pname . '/b.php'; - - --EXPECTF-- - brand new! --string(40) "%s" --string(40) "%s" -+string(%d) "%s" -+string(%d) "%s" - bool(true) - modified! - another! -diff --git a/ext/phar/tests/create_new_phar_c.phpt b/ext/phar/tests/create_new_phar_c.phpt -index 566d3c4d5f8ad..bf6d740fd1d10 100644 ---- a/ext/phar/tests/create_new_phar_c.phpt -+++ b/ext/phar/tests/create_new_phar_c.phpt -@@ -20,7 +20,7 @@ var_dump($phar->getSignature()); - --EXPECTF-- - array(2) { - ["hash"]=> -- string(40) "%s" -+ string(64) "%s" - ["hash_type"]=> -- string(5) "SHA-1" -+ string(7) "SHA-256" - } -diff --git a/ext/phar/tests/phar_setsignaturealgo2.phpt b/ext/phar/tests/phar_setsignaturealgo2.phpt -index 293d3196713d8..4f31836fbbbcc 100644 ---- a/ext/phar/tests/phar_setsignaturealgo2.phpt -+++ b/ext/phar/tests/phar_setsignaturealgo2.phpt -@@ -52,7 +52,7 @@ array(2) { - ["hash"]=> - string(%d) "%s" - ["hash_type"]=> -- string(5) "SHA-1" -+ string(7) "SHA-256" - } - array(2) { - ["hash"]=> -diff --git a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt -index 9923ac5c88476..cc10a241d739b 100644 ---- a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt -+++ b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt -@@ -51,7 +51,7 @@ array(2) { - ["hash"]=> - string(%d) "%s" - ["hash_type"]=> -- string(5) "SHA-1" -+ string(7) "SHA-256" - } - array(2) { - ["hash"]=> -diff --git a/ext/phar/tests/zip/phar_setsignaturealgo2.phpt b/ext/phar/tests/zip/phar_setsignaturealgo2.phpt -index 8de77479d7825..60fec578ee894 100644 ---- a/ext/phar/tests/zip/phar_setsignaturealgo2.phpt -+++ b/ext/phar/tests/zip/phar_setsignaturealgo2.phpt -@@ -78,7 +78,7 @@ array(2) { - ["hash"]=> - string(%d) "%s" - ["hash_type"]=> -- string(5) "SHA-1" -+ string(7) "SHA-256" - } - array(2) { - ["hash"]=> -diff --git a/ext/phar/util.c b/ext/phar/util.c -index 314acfe81a788..8d2db03b69601 100644 ---- a/ext/phar/util.c -+++ b/ext/phar/util.c -@@ -1798,6 +1798,8 @@ int phar_create_signature(phar_archive_d - *signature_length = 64; - break; - } -+ default: -+ phar->sig_flags = PHAR_SIG_SHA256; - case PHAR_SIG_SHA256: { - unsigned char digest[32]; - PHP_SHA256_CTX context; -@@ -1894,8 +1896,6 @@ int phar_create_signature(phar_archive_d - *signature_length = siglen; - } - break; -- default: -- phar->sig_flags = PHAR_SIG_SHA1; - case PHAR_SIG_SHA1: { - unsigned char digest[20]; - PHP_SHA1_CTX context; -diff --git a/ext/phar/zip.c b/ext/phar/zip.c -index 31d4bd2998215..c5e38cabf7b87 100644 ---- a/ext/phar/zip.c -+++ b/ext/phar/zip.c -@@ -1423,7 +1423,7 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, zend_long len, int - - memcpy(eocd.signature, "PK\5\6", 4); - if (!phar->is_data && !phar->sig_flags) { -- phar->sig_flags = PHAR_SIG_SHA1; -+ phar->sig_flags = PHAR_SIG_SHA256; - } - if (phar->sig_flags) { - PHAR_SET_16(eocd.counthere, zend_hash_num_elements(&phar->manifest) + 1); - -From c51af22fef988c1b2f92b7b9e3a9d745f7084815 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Thu, 5 Aug 2021 16:49:48 +0200 -Subject: [PATCH] implement openssl_256 and openssl_512 for phar singatures - ---- - ext/openssl/openssl.c | 1 + - ext/phar/phar.1.in | 10 +++- - ext/phar/phar.c | 8 +++- - ext/phar/phar/pharcommand.inc | 14 +++++- - ext/phar/phar_internal.h | 2 + - ext/phar/phar_object.c | 24 ++++++++-- - ext/phar/tests/files/openssl256.phar | Bin 0 -> 7129 bytes - ext/phar/tests/files/openssl256.phar.pubkey | 6 +++ - ext/phar/tests/files/openssl512.phar | Bin 0 -> 7129 bytes - ext/phar/tests/files/openssl512.phar.pubkey | 6 +++ - .../phar_get_supported_signatures_002a.phpt | 6 ++- - .../tests/tar/phar_setsignaturealgo2.phpt | 16 +++++++ - ext/phar/tests/test_signaturealgos.phpt | 8 ++++ - ext/phar/util.c | 45 ++++++++++++++---- - 14 files changed, 128 insertions(+), 18 deletions(-) - create mode 100644 ext/phar/tests/files/openssl256.phar - create mode 100644 ext/phar/tests/files/openssl256.phar.pubkey - create mode 100644 ext/phar/tests/files/openssl512.phar - create mode 100644 ext/phar/tests/files/openssl512.phar.pubkey - -diff --git a/ext/phar/phar.1.in b/ext/phar/phar.1.in -index 77912b241dfd5..323e77b0e2a3b 100644 ---- a/ext/phar/phar.1.in -+++ b/ext/phar/phar.1.in -@@ -475,7 +475,15 @@ SHA512 - .TP - .PD - .B openssl --OpenSSL -+OpenSSL using SHA-1 -+.TP -+.PD -+.B openssl_sha256 -+OpenSSL using SHA-256 -+.TP -+.PD -+.B openssl_sha512 -+OpenSSL using SHA-512 - - .SH SEE ALSO - For a more or less complete description of PHAR look here: -diff --git a/ext/phar/phar.c b/ext/phar/phar.c -index 77f21cef9da53..bc08e4edde05d 100644 ---- a/ext/phar/phar.c -+++ b/ext/phar/phar.c -@@ -869,6 +869,8 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, size_t fname_len, ch - PHAR_GET_32(sig_ptr, sig_flags); - - switch(sig_flags) { -+ case PHAR_SIG_OPENSSL_SHA512: -+ case PHAR_SIG_OPENSSL_SHA256: - case PHAR_SIG_OPENSSL: { - uint32_t signature_len; - char *sig; -@@ -903,7 +905,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, size_t fname_len, ch - return FAILURE; - } - -- if (FAILURE == phar_verify_signature(fp, end_of_phar, PHAR_SIG_OPENSSL, sig, signature_len, fname, &signature, &sig_len, error)) { -+ if (FAILURE == phar_verify_signature(fp, end_of_phar, sig_flags, sig, signature_len, fname, &signature, &sig_len, error)) { - efree(savebuf); - efree(sig); - php_stream_close(fp); -@@ -3162,7 +3164,9 @@ int phar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int conv - - php_stream_write(newfile, digest, digest_len); - efree(digest); -- if (phar->sig_flags == PHAR_SIG_OPENSSL) { -+ if (phar->sig_flags == PHAR_SIG_OPENSSL || -+ phar->sig_flags == PHAR_SIG_OPENSSL_SHA256 || -+ phar->sig_flags == PHAR_SIG_OPENSSL_SHA512) { - phar_set_32(sig_buf, digest_len); - php_stream_write(newfile, sig_buf, 4); - } -diff --git a/ext/phar/phar/pharcommand.inc b/ext/phar/phar/pharcommand.inc -index 5f698b4bec26b..1b1eeca59c560 100644 ---- a/ext/phar/phar/pharcommand.inc -+++ b/ext/phar/phar/pharcommand.inc -@@ -92,7 +92,7 @@ class PharCommand extends CLICommand - 'typ' => 'select', - 'val' => NULL, - 'inf' => ' Selects the hash algorithm.', -- 'select' => array('md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL') -+ 'select' => ['md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL', 'openssl_sha256' => 'OPENSSL_SHA256', 'openssl_sha512' => 'OPENSSL_SHA512'] - ), - 'i' => array( - 'typ' => 'regex', -@@ -156,6 +156,8 @@ class PharCommand extends CLICommand - $hash_avail = Phar::getSupportedSignatures(); - $hash_optional = array('SHA-256' => 'SHA256', - 'SHA-512' => 'SHA512', -+ 'OpenSSL_sha256' => 'OpenSSL_SHA256', -+ 'OpenSSL_sha512' => 'OpenSSL_SHA512', - 'OpenSSL' => 'OpenSSL'); - if (!in_array('OpenSSL', $hash_avail)) { - unset($phar_args['y']); -@@ -429,6 +431,16 @@ class PharCommand extends CLICommand - self::error("Cannot use OpenSSL signing without key.\n"); - } - return Phar::OPENSSL; -+ case 'openssl_sha256': -+ if (!$privkey) { -+ self::error("Cannot use OpenSSL signing without key.\n"); -+ } -+ return Phar::OPENSSL_SHA256; -+ case 'openssl_sha512': -+ if (!$privkey) { -+ self::error("Cannot use OpenSSL signing without key.\n"); -+ } -+ return Phar::OPENSSL_SHA512; - } - } - // }}} -diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h -index a9f81e2ab994a..30b408a8c4462 100644 ---- a/ext/phar/phar_internal.h -+++ b/ext/phar/phar_internal.h -@@ -88,6 +88,8 @@ - #define PHAR_SIG_SHA256 0x0003 - #define PHAR_SIG_SHA512 0x0004 - #define PHAR_SIG_OPENSSL 0x0010 -+#define PHAR_SIG_OPENSSL_SHA256 0x0011 -+#define PHAR_SIG_OPENSSL_SHA512 0x0012 - - /* flags byte for each file adheres to these bitmasks. - All unused values are reserved */ -diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c -index 9c1e5f2fa1eef..c05970e657f18 100644 ---- a/ext/phar/phar_object.c -+++ b/ext/phar/phar_object.c -@@ -1246,9 +1246,13 @@ PHP_METHOD(Phar, getSupportedSignatures) - add_next_index_stringl(return_value, "SHA-512", 7); - #ifdef PHAR_HAVE_OPENSSL - add_next_index_stringl(return_value, "OpenSSL", 7); -+ add_next_index_stringl(return_value, "OpenSSL_SHA256", 14); -+ add_next_index_stringl(return_value, "OpenSSL_SHA512", 14); - #else - if (zend_hash_str_exists(&module_registry, "openssl", sizeof("openssl")-1)) { - add_next_index_stringl(return_value, "OpenSSL", 7); -+ add_next_index_stringl(return_value, "OpenSSL_SHA256", 14); -+ add_next_index_stringl(return_value, "OpenSSL_SHA512", 14); - } - #endif - } -@@ -3028,6 +3032,8 @@ PHP_METHOD(Phar, setSignatureAlgorithm) - case PHAR_SIG_MD5: - case PHAR_SIG_SHA1: - case PHAR_SIG_OPENSSL: -+ case PHAR_SIG_OPENSSL_SHA256: -+ case PHAR_SIG_OPENSSL_SHA512: - if (phar_obj->archive->is_persistent && FAILURE == phar_copy_on_write(&(phar_obj->archive))) { - zend_throw_exception_ex(phar_ce_PharException, 0, "phar \"%s\" is persistent, unable to copy on write", phar_obj->archive->fname); - RETURN_THROWS(); -@@ -3066,19 +3072,25 @@ PHP_METHOD(Phar, getSignature) - add_assoc_stringl(return_value, "hash", phar_obj->archive->signature, phar_obj->archive->sig_len); - switch(phar_obj->archive->sig_flags) { - case PHAR_SIG_MD5: -- add_assoc_stringl(return_value, "hash_type", "MD5", 3); -+ add_assoc_string(return_value, "hash_type", "MD5"); - break; - case PHAR_SIG_SHA1: -- add_assoc_stringl(return_value, "hash_type", "SHA-1", 5); -+ add_assoc_string(return_value, "hash_type", "SHA-1"); - break; - case PHAR_SIG_SHA256: -- add_assoc_stringl(return_value, "hash_type", "SHA-256", 7); -+ add_assoc_string(return_value, "hash_type", "SHA-256"); - break; - case PHAR_SIG_SHA512: -- add_assoc_stringl(return_value, "hash_type", "SHA-512", 7); -+ add_assoc_string(return_value, "hash_type", "SHA-512"); - break; - case PHAR_SIG_OPENSSL: -- add_assoc_stringl(return_value, "hash_type", "OpenSSL", 7); -+ add_assoc_string(return_value, "hash_type", "OpenSSL"); -+ break; -+ case PHAR_SIG_OPENSSL_SHA256: -+ add_assoc_string(return_value, "hash_type", "OpenSSL_SHA256"); -+ break; -+ case PHAR_SIG_OPENSSL_SHA512: -+ add_assoc_string(return_value, "hash_type", "OpenSSL_SHA512"); - break; - default: - unknown = strpprintf(0, "Unknown (%u)", phar_obj->archive->sig_flags); -@@ -5103,6 +5115,8 @@ void phar_object_init(void) /* {{{ */ - REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "PHPS", PHAR_MIME_PHPS) - REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "MD5", PHAR_SIG_MD5) - REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL", PHAR_SIG_OPENSSL) -+ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL_SHA256", PHAR_SIG_OPENSSL_SHA256) -+ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL_SHA512", PHAR_SIG_OPENSSL_SHA512) - REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA1", PHAR_SIG_SHA1) - REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA256", PHAR_SIG_SHA256) - REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA512", PHAR_SIG_SHA512) -diff --git a/ext/phar/tests/phar_get_supported_signatures_002a.phpt b/ext/phar/tests/phar_get_supported_signatures_002a.phpt -index 06d811f2c35c2..639143b3d2c90 100644 ---- a/ext/phar/tests/phar_get_supported_signatures_002a.phpt -+++ b/ext/phar/tests/phar_get_supported_signatures_002a.phpt -@@ -14,7 +14,7 @@ phar.readonly=0 - var_dump(Phar::getSupportedSignatures()); - ?> - --EXPECT-- --array(5) { -+array(7) { - [0]=> - string(3) "MD5" - [1]=> -@@ -25,4 +25,8 @@ array(5) { - string(7) "SHA-512" - [4]=> - string(7) "OpenSSL" -+ [5]=> -+ string(14) "OpenSSL_SHA256" -+ [6]=> -+ string(14) "OpenSSL_SHA512" - } -diff --git a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt -index cc10a241d739b..c2eb5d77a5bf0 100644 ---- a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt -+++ b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt -@@ -38,6 +38,10 @@ $pkey = ''; - openssl_pkey_export($private, $pkey, NULL, $config_arg); - $p->setSignatureAlgorithm(Phar::OPENSSL, $pkey); - var_dump($p->getSignature()); -+$p->setSignatureAlgorithm(Phar::OPENSSL_SHA512, $pkey); -+var_dump($p->getSignature()); -+$p->setSignatureAlgorithm(Phar::OPENSSL_SHA256, $pkey); -+var_dump($p->getSignature()); - } catch (Exception $e) { - echo $e->getMessage(); - } -@@ -83,3 +87,15 @@ array(2) { - ["hash_type"]=> - string(7) "OpenSSL" - } -+array(2) { -+ ["hash"]=> -+ string(%d) "%s" -+ ["hash_type"]=> -+ string(14) "OpenSSL_SHA512" -+} -+array(2) { -+ ["hash"]=> -+ string(%d) "%s" -+ ["hash_type"]=> -+ string(14) "OpenSSL_SHA256" -+} -diff --git a/ext/phar/util.c b/ext/phar/util.c -index 8d2db03b69601..515830bf2c70a 100644 ---- a/ext/phar/util.c -+++ b/ext/phar/util.c -@@ -34,7 +34,7 @@ - #include - #include - #else --static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len); -+static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, php_uint32 sig_type); - #endif - - /* for links to relative location, prepend cwd of the entry */ -@@ -1381,11 +1381,11 @@ static int phar_hex_str(const char *digest, size_t digest_len, char **signature) - /* }}} */ - - #ifndef PHAR_HAVE_OPENSSL --static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len) /* {{{ */ -+static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, php_uint32 sig_type) /* {{{ */ - { - zend_fcall_info fci; - zend_fcall_info_cache fcc; -- zval retval, zp[3], openssl; -+ zval retval, zp[4], openssl; - zend_string *str; - - ZVAL_STRINGL(&openssl, is_sign ? "openssl_sign" : "openssl_verify", is_sign ? sizeof("openssl_sign")-1 : sizeof("openssl_verify")-1); -@@ -1402,6 +1402,14 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t - } else { - ZVAL_EMPTY_STRING(&zp[0]); - } -+ if (sig_type == PHAR_SIG_OPENSSL_SHA512) { -+ ZVAL_LONG(&zp[3], 9); /* value from openssl.c #define OPENSSL_ALGO_SHA512 9 */ -+ } else if (sig_type == PHAR_SIG_OPENSSL_SHA256) { -+ ZVAL_LONG(&zp[3], 7); /* value from openssl.c #define OPENSSL_ALGO_SHA256 7 */ -+ } else { -+ /* don't rely on default value which may change in the future */ -+ ZVAL_LONG(&zp[3], 1); /* value from openssl.c #define OPENSSL_ALGO_SHA1 1 */ -+ } - - if ((size_t)end != Z_STRLEN(zp[0])) { - zval_ptr_dtor_str(&zp[0]); -@@ -1419,7 +1427,7 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t - return FAILURE; - } - -- fci.param_count = 3; -+ fci.param_count = 4; - fci.params = zp; - Z_ADDREF(zp[0]); - if (is_sign) { -@@ -1482,12 +1490,22 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type, - php_stream_rewind(fp); - - switch (sig_type) { -+ case PHAR_SIG_OPENSSL_SHA512: -+ case PHAR_SIG_OPENSSL_SHA256: - case PHAR_SIG_OPENSSL: { - #ifdef PHAR_HAVE_OPENSSL - BIO *in; - EVP_PKEY *key; -- EVP_MD *mdtype = (EVP_MD *) EVP_sha1(); -+ const EVP_MD *mdtype; - EVP_MD_CTX *md_ctx; -+ -+ if (sig_type == PHAR_SIG_OPENSSL_SHA512) { -+ mdtype = EVP_sha512(); -+ } else if (sig_type == PHAR_SIG_OPENSSL_SHA256) { -+ mdtype = EVP_sha256(); -+ } else { -+ mdtype = EVP_sha1(); -+ } - #else - size_t tempsig; - #endif -@@ -1521,7 +1539,7 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type, - #ifndef PHAR_HAVE_OPENSSL - tempsig = sig_len; - -- if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, pubkey ? ZSTR_VAL(pubkey) : NULL, pubkey ? ZSTR_LEN(pubkey) : 0, &sig, &tempsig)) { -+ if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, pubkey ? ZSTR_VAL(pubkey) : NULL, pubkey ? ZSTR_LEN(pubkey) : 0, &sig, &tempsig, sig_type)) { - if (pubkey) { - zend_string_release_ex(pubkey, 0); - } -@@ -1815,6 +1833,8 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat - *signature_length = 32; - break; - } -+ case PHAR_SIG_OPENSSL_SHA512: -+ case PHAR_SIG_OPENSSL_SHA256: - case PHAR_SIG_OPENSSL: { - unsigned char *sigbuf; - #ifdef PHAR_HAVE_OPENSSL -@@ -1822,6 +1842,15 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat - BIO *in; - EVP_PKEY *key; - EVP_MD_CTX *md_ctx; -+ const EVP_MD *mdtype; -+ -+ if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA512) { -+ mdtype = EVP_sha512(); -+ } else if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA256) { -+ mdtype = EVP_sha256(); -+ } else { -+ mdtype = EVP_sha1(); -+ } - - in = BIO_new_mem_buf(PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len)); - -@@ -1847,7 +1876,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat - siglen = EVP_PKEY_size(key); - sigbuf = emalloc(siglen + 1); - -- if (!EVP_SignInit(md_ctx, EVP_sha1())) { -+ if (!EVP_SignInit(md_ctx, mdtype)) { - EVP_PKEY_free(key); - efree(sigbuf); - if (error) { -@@ -1885,7 +1914,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat - siglen = 0; - php_stream_seek(fp, 0, SEEK_END); - -- if (FAILURE == phar_call_openssl_signverify(1, fp, php_stream_tell(fp), PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len), (char **)&sigbuf, &siglen)) { -+ if (FAILURE == phar_call_openssl_signverify(1, fp, php_stream_tell(fp), PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len), (char **)&sigbuf, &siglen, phar->sig_flags)) { - if (error) { - spprintf(error, 0, "unable to write phar \"%s\" with requested openssl signature", phar->fname); - } diff --git a/php-8.0.10-snmp-sha.patch b/php-8.0.10-snmp-sha.patch deleted file mode 100644 index a48ad5f..0000000 --- a/php-8.0.10-snmp-sha.patch +++ /dev/null @@ -1,143 +0,0 @@ -Backported for 8.0 from - - -From 718e91343fddb8817a004f96f111c424843bf746 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Wed, 11 Aug 2021 13:02:18 +0200 -Subject: [PATCH] add SHA256 and SHA512 for security protocol - ---- - ext/snmp/config.m4 | 18 +++++++++- - ext/snmp/snmp.c | 33 ++++++++++++++++++- - .../tests/snmp-object-setSecurity_error.phpt | 2 +- - ext/snmp/tests/snmp3-error.phpt | 2 +- - 4 files changed, 51 insertions(+), 4 deletions(-) - -diff --git a/ext/snmp/config.m4 b/ext/snmp/config.m4 -index 1475ddfe2b7f0..f285a572de9cb 100644 ---- a/ext/snmp/config.m4 -+++ b/ext/snmp/config.m4 -@@ -30,7 +30,7 @@ if test "$PHP_SNMP" != "no"; then - AC_MSG_ERROR([Could not find the required paths. Please check your net-snmp installation.]) - fi - else -- AC_MSG_ERROR([Net-SNMP version 5.3 or greater reqired (detected $snmp_full_version).]) -+ AC_MSG_ERROR([Net-SNMP version 5.3 or greater required (detected $snmp_full_version).]) - fi - else - AC_MSG_ERROR([Could not find net-snmp-config binary. Please check your net-snmp installation.]) -@@ -54,6 +54,22 @@ if test "$PHP_SNMP" != "no"; then - $SNMP_SHARED_LIBADD - ]) - -+ dnl Check whether usmHMAC192SHA256AuthProtocol exists. -+ PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC192SHA256AuthProtocol, -+ [ -+ AC_DEFINE(HAVE_SNMP_SHA256, 1, [ ]) -+ ], [], [ -+ $SNMP_SHARED_LIBADD -+ ]) -+ -+ dnl Check whether usmHMAC384SHA512AuthProtocol exists. -+ PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC384SHA512AuthProtocol, -+ [ -+ AC_DEFINE(HAVE_SNMP_SHA512, 1, [ ]) -+ ], [], [ -+ $SNMP_SHARED_LIBADD -+ ]) -+ - PHP_NEW_EXTENSION(snmp, snmp.c, $ext_shared) - PHP_SUBST(SNMP_SHARED_LIBADD) - fi -diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c -index 69d6549405b17..f0917501751f5 100644 ---- a/ext/snmp/snmp.c -+++ b/ext/snmp/snmp.c -@@ -29,6 +29,7 @@ - #include "php_snmp.h" - - #include "zend_exceptions.h" -+#include "zend_smart_string.h" - #include "ext/spl/spl_exceptions.h" - #include "snmp_arginfo.h" - -@@ -938,16 +939,48 @@ static int netsnmp_session_set_auth_protocol(struct snmp_session *s, char *prot) - if (!strcasecmp(prot, "MD5")) { - s->securityAuthProto = usmHMACMD5AuthProtocol; - s->securityAuthProtoLen = USM_AUTH_PROTO_MD5_LEN; -- } else -+ return 0; -+ } - #endif -+ - if (!strcasecmp(prot, "SHA")) { - s->securityAuthProto = usmHMACSHA1AuthProtocol; - s->securityAuthProtoLen = USM_AUTH_PROTO_SHA_LEN; -- } else { -- zend_value_error("Authentication protocol must be either \"MD5\" or \"SHA\""); -- return (-1); -+ return 0; - } -- return (0); -+ -+#ifdef HAVE_SNMP_SHA256 -+ if (!strcasecmp(prot, "SHA256")) { -+ s->securityAuthProto = usmHMAC192SHA256AuthProtocol; -+ s->securityAuthProtoLen = sizeof(usmHMAC192SHA256AuthProtocol) / sizeof(oid); -+ return 0; -+ } -+#endif -+ -+#ifdef HAVE_SNMP_SHA512 -+ if (!strcasecmp(prot, "SHA512")) { -+ s->securityAuthProto = usmHMAC384SHA512AuthProtocol; -+ s->securityAuthProtoLen = sizeof(usmHMAC384SHA512AuthProtocol) / sizeof(oid); -+ return 0; -+ } -+#endif -+ -+ smart_string err = {0}; -+ -+ smart_string_appends(&err, "Authentication protocol must be \"SHA\""); -+#ifdef HAVE_SNMP_SHA256 -+ smart_string_appends(&err, " or \"SHA256\""); -+#endif -+#ifdef HAVE_SNMP_SHA512 -+ smart_string_appends(&err, " or \"SHA512\""); -+#endif -+#ifndef DISABLE_MD5 -+ smart_string_appends(&err, " or \"MD5\""); -+#endif -+ smart_string_0(&err); -+ zend_value_error("%s", err.c); -+ smart_string_free(&err); -+ return -1; - } - /* }}} */ - -diff --git a/ext/snmp/tests/snmp-object-setSecurity_error.phpt b/ext/snmp/tests/snmp-object-setSecurity_error.phpt -index f8de846492a75..cf4f928837773 100644 ---- a/ext/snmp/tests/snmp-object-setSecurity_error.phpt -+++ b/ext/snmp/tests/snmp-object-setSecurity_error.phpt -@@ -59,7 +59,7 @@ var_dump($session->close()); - --EXPECTF-- - Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" - Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" --Authentication protocol must be either "MD5" or "SHA" -+Authentication protocol must be %s - - Warning: SNMP::setSecurity(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d - bool(false) -diff --git a/ext/snmp/tests/snmp3-error.phpt b/ext/snmp/tests/snmp3-error.phpt -index 849e363b45058..389800dad6b28 100644 ---- a/ext/snmp/tests/snmp3-error.phpt -+++ b/ext/snmp/tests/snmp3-error.phpt -@@ -58,7 +58,7 @@ try { - Checking error handling - Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" - Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" --Authentication protocol must be either "MD5" or "SHA" -+Authentication protocol must be %s - - Warning: snmp3_get(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d - bool(false) diff --git a/php-8.0.10-systzdata-v21.patch b/php-8.0.10-systzdata-v21.patch deleted file mode 100644 index 779f538..0000000 --- a/php-8.0.10-systzdata-v21.patch +++ /dev/null @@ -1,718 +0,0 @@ -# License: MIT -# http://opensource.org/licenses/MIT - -Add support for use of the system timezone database, rather -than embedding a copy. Discussed upstream but was not desired. - -History: -r21: retrieve tzdata version from /usr/share/zoneinfo/tzdata.zi -r20: adapt for timelib 2020.03 (in 8.0.10RC1) -r19: adapt for timelib 2020.02 (in 8.0.0beta2) -r18: adapt for autotool change in 7.3.3RC1 -r17: adapt for timelib 2018.01 (in 7.3.2RC1) -r16: adapt for timelib 2017.06 (in 7.2.3RC1) -r15: adapt for timelib 2017.05beta7 (in 7.2.0RC1) -r14: improve check for valid tz file -r13: adapt for upstream changes to use PHP allocator -r12: adapt for upstream changes for new zic -r11: use canonical names to avoid more case sensitivity issues - round lat/long from zone.tab towards zero per builtin db -r10: make timezone case insensitive -r9: fix another compile error without --with-system-tzdata configured (Michael Heimpold) -r8: fix compile error without --with-system-tzdata configured -r7: improve check for valid timezone id to exclude directories -r6: fix fd leak in r5, fix country code/BC flag use in - timezone_identifiers_list() using system db, - fix use of PECL timezonedb to override system db, -r5: reverts addition of "System/Localtime" fake tzname. - updated for 5.3.0, parses zone.tab to pick up mapping between - timezone name, country code and long/lat coords -r4: added "System/Localtime" tzname which uses /etc/localtime -r3: fix a crash if /usr/share/zoneinfo doesn't exist (Raphael Geissert) -r2: add filesystem trawl to set up name alias index -r1: initial revision - -diff --git a/ext/date/config0.m4 b/ext/date/config0.m4 -index 20e4164aaa..a61243646d 100644 ---- a/ext/date/config0.m4 -+++ b/ext/date/config0.m4 -@@ -4,6 +4,19 @@ AC_CHECK_HEADERS([io.h]) - dnl Check for strtoll, atoll - AC_CHECK_FUNCS(strtoll atoll) - -+PHP_ARG_WITH(system-tzdata, for use of system timezone data, -+[ --with-system-tzdata[=DIR] to specify use of system timezone data], -+no, no) -+ -+if test "$PHP_SYSTEM_TZDATA" != "no"; then -+ AC_DEFINE(HAVE_SYSTEM_TZDATA, 1, [Define if system timezone data is used]) -+ -+ if test "$PHP_SYSTEM_TZDATA" != "yes"; then -+ AC_DEFINE_UNQUOTED(HAVE_SYSTEM_TZDATA_PREFIX, "$PHP_SYSTEM_TZDATA", -+ [Define for location of system timezone data]) -+ fi -+fi -+ - PHP_DATE_CFLAGS="-I@ext_builddir@/lib -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -DHAVE_TIMELIB_CONFIG_H=1" - timelib_sources="lib/astro.c lib/dow.c lib/parse_date.c lib/parse_tz.c - lib/timelib.c lib/tm2unixtime.c lib/unixtime2tm.c lib/parse_iso_intervals.c lib/interval.c" -diff --git a/ext/date/lib/parse_tz.c b/ext/date/lib/parse_tz.c -index e9bd0f136d..c04ff01adc 100644 ---- a/ext/date/lib/parse_tz.c -+++ b/ext/date/lib/parse_tz.c -@@ -26,8 +26,21 @@ - #include "timelib.h" - #include "timelib_private.h" - -+#ifdef HAVE_SYSTEM_TZDATA -+#include -+#include -+#include -+#include -+#include -+ -+#include "php_scandir.h" -+ -+#else - #define TIMELIB_SUPPORTS_V2DATA - #include "timezonedb.h" -+#endif -+ -+#include - - #if (defined(__APPLE__) || defined(__APPLE_CC__)) && (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__)) - # if defined(__LITTLE_ENDIAN__) -@@ -94,6 +107,11 @@ static int read_php_preamble(const unsigned char **tzf, timelib_tzinfo *tz) - { - uint32_t version; - -+ if (memcmp(*tzf, "TZif", 4) == 0) { -+ *tzf += 20; -+ return 0; -+ } -+ - /* read ID */ - version = (*tzf)[3] - '0'; - *tzf += 4; -@@ -435,7 +453,467 @@ void timelib_dump_tzinfo(timelib_tzinfo *tz) - } - } - --static int seek_to_tz_position(const unsigned char **tzf, const char *timezone, const timelib_tzdb *tzdb) -+#ifdef HAVE_SYSTEM_TZDATA -+ -+#ifdef HAVE_SYSTEM_TZDATA_PREFIX -+#define ZONEINFO_PREFIX HAVE_SYSTEM_TZDATA_PREFIX -+#else -+#define ZONEINFO_PREFIX "/usr/share/zoneinfo" -+#endif -+ -+/* System timezone database pointer. */ -+static const timelib_tzdb *timezonedb_system; -+ -+/* Hash table entry for the cache of the zone.tab mapping table. */ -+struct location_info { -+ char code[2]; -+ double latitude, longitude; -+ char name[64]; -+ char *comment; -+ struct location_info *next; -+}; -+ -+/* Cache of zone.tab. */ -+static struct location_info **system_location_table; -+ -+/* Size of the zone.tab hash table; a random-ish prime big enough to -+ * prevent too many collisions. */ -+#define LOCINFO_HASH_SIZE (1021) -+ -+/* Compute a case insensitive hash of str */ -+static uint32_t tz_hash(const char *str) -+{ -+ const unsigned char *p = (const unsigned char *)str; -+ uint32_t hash = 5381; -+ int c; -+ -+ while ((c = tolower(*p++)) != '\0') { -+ hash = (hash << 5) ^ hash ^ c; -+ } -+ -+ return hash % LOCINFO_HASH_SIZE; -+} -+ -+/* Parse an ISO-6709 date as used in zone.tab. Returns end of the -+ * parsed string on success, or NULL on parse error. On success, -+ * writes the parsed number to *result. */ -+static char *parse_iso6709(char *p, double *result) -+{ -+ double v, sign; -+ char *pend; -+ size_t len; -+ -+ if (*p == '+') -+ sign = 1.0; -+ else if (*p == '-') -+ sign = -1.0; -+ else -+ return NULL; -+ -+ p++; -+ for (pend = p; *pend >= '0' && *pend <= '9'; pend++) -+ ;; -+ -+ /* Annoying encoding used by zone.tab has no decimal point, so use -+ * the length to determine the format: -+ * -+ * 4 = DDMM -+ * 5 = DDDMM -+ * 6 = DDMMSS -+ * 7 = DDDMMSS -+ */ -+ len = pend - p; -+ if (len < 4 || len > 7) { -+ return NULL; -+ } -+ -+ /* p => [D]DD */ -+ v = (p[0] - '0') * 10.0 + (p[1] - '0'); -+ p += 2; -+ if (len == 5 || len == 7) -+ v = v * 10.0 + (*p++ - '0'); -+ /* p => MM[SS] */ -+ v += (10.0 * (p[0] - '0') -+ + p[1] - '0') / 60.0; -+ p += 2; -+ /* p => [SS] */ -+ if (len > 5) { -+ v += (10.0 * (p[0] - '0') -+ + p[1] - '0') / 3600.0; -+ p += 2; -+ } -+ -+ /* Round to five decimal place, not because it's a good idea, -+ * but, because the builtin data uses rounded data, so, match -+ * that. */ -+ *result = trunc(v * sign * 100000.0) / 100000.0; -+ -+ return p; -+} -+ -+/* This function parses the zone.tab file to build up the mapping of -+ * timezone to country code and geographic location, and returns a -+ * hash table. The hash table is indexed by the function: -+ * -+ * tz_hash(timezone-name) -+ */ -+static struct location_info **create_location_table(void) -+{ -+ struct location_info **li, *i; -+ char zone_tab[PATH_MAX]; -+ char line[512]; -+ FILE *fp; -+ -+ strncpy(zone_tab, ZONEINFO_PREFIX "/zone.tab", sizeof zone_tab); -+ -+ fp = fopen(zone_tab, "r"); -+ if (!fp) { -+ return NULL; -+ } -+ -+ li = calloc(LOCINFO_HASH_SIZE, sizeof *li); -+ -+ while (fgets(line, sizeof line, fp)) { -+ char *p = line, *code, *name, *comment; -+ uint32_t hash; -+ double latitude, longitude; -+ -+ while (isspace(*p)) -+ p++; -+ -+ if (*p == '#' || *p == '\0' || *p == '\n') -+ continue; -+ -+ if (!isalpha(p[0]) || !isalpha(p[1]) || p[2] != '\t') -+ continue; -+ -+ /* code => AA */ -+ code = p; -+ p[2] = 0; -+ p += 3; -+ -+ /* coords => [+-][D]DDMM[SS][+-][D]DDMM[SS] */ -+ p = parse_iso6709(p, &latitude); -+ if (!p) { -+ continue; -+ } -+ p = parse_iso6709(p, &longitude); -+ if (!p) { -+ continue; -+ } -+ -+ if (!p || *p != '\t') { -+ continue; -+ } -+ -+ /* name = string */ -+ name = ++p; -+ while (*p != '\t' && *p && *p != '\n') -+ p++; -+ -+ *p++ = '\0'; -+ -+ /* comment = string */ -+ comment = p; -+ while (*p != '\t' && *p && *p != '\n') -+ p++; -+ -+ if (*p == '\n' || *p == '\t') -+ *p = '\0'; -+ -+ hash = tz_hash(name); -+ i = malloc(sizeof *i); -+ memcpy(i->code, code, 2); -+ strncpy(i->name, name, sizeof i->name); -+ i->comment = strdup(comment); -+ i->longitude = longitude; -+ i->latitude = latitude; -+ i->next = li[hash]; -+ li[hash] = i; -+ /* printf("%s [%u, %f, %f]\n", name, hash, latitude, longitude); */ -+ } -+ -+ fclose(fp); -+ -+ return li; -+} -+ -+/* Return location info from hash table, using given timezone name. -+ * Returns NULL if the name could not be found. */ -+const struct location_info *find_zone_info(struct location_info **li, -+ const char *name) -+{ -+ uint32_t hash = tz_hash(name); -+ const struct location_info *l; -+ -+ if (!li) { -+ return NULL; -+ } -+ -+ for (l = li[hash]; l; l = l->next) { -+ if (timelib_strcasecmp(l->name, name) == 0) -+ return l; -+ } -+ -+ return NULL; -+} -+ -+/* Filter out some non-tzdata files and the posix/right databases, if -+ * present. */ -+static int index_filter(const struct dirent *ent) -+{ -+ return strcmp(ent->d_name, ".") != 0 -+ && strcmp(ent->d_name, "..") != 0 -+ && strcmp(ent->d_name, "posix") != 0 -+ && strcmp(ent->d_name, "posixrules") != 0 -+ && strcmp(ent->d_name, "right") != 0 -+ && strstr(ent->d_name, ".list") == NULL -+ && strstr(ent->d_name, ".tab") == NULL; -+} -+ -+static int sysdbcmp(const void *first, const void *second) -+{ -+ const timelib_tzdb_index_entry *alpha = first, *beta = second; -+ -+ return timelib_strcasecmp(alpha->id, beta->id); -+} -+ -+ -+/* Retrieve tzdata version. */ -+static void retrieve_zone_version(timelib_tzdb *db) -+{ -+ static char buf[30]; -+ char path[PATH_MAX]; -+ FILE *fp; -+ -+ strncpy(path, ZONEINFO_PREFIX "/tzdata.zi", sizeof(path)); -+ -+ fp = fopen(path, "r"); -+ if (fp) { -+ if (fgets(buf, sizeof(buf), fp)) { -+ if (!memcmp(buf, "# version ", 10) && -+ isdigit(buf[10]) && -+ isdigit(buf[11]) && -+ isdigit(buf[12]) && -+ isdigit(buf[13]) && -+ islower(buf[14])) { -+ if (buf[14] >= 't') { /* 2022t = 2022.20 */ -+ buf[17] = 0; -+ buf[16] = buf[14] - 't' + '0'; -+ buf[15] = '2'; -+ } else if (buf[14] >= 'j') { /* 2022j = 2022.10 */ -+ buf[17] = 0; -+ buf[16] = buf[14] - 'j' + '0'; -+ buf[15] = '1'; -+ } else { /* 2022a = 2022.1 */ -+ buf[16] = 0; -+ buf[15] = buf[14] - 'a' + '1'; -+ } -+ buf[14] = '.'; -+ db->version = buf+10; -+ } -+ } -+ fclose(fp); -+ } -+} -+ -+/* Create the zone identifier index by trawling the filesystem. */ -+static void create_zone_index(timelib_tzdb *db) -+{ -+ size_t dirstack_size, dirstack_top; -+ size_t index_size, index_next; -+ timelib_tzdb_index_entry *db_index; -+ char **dirstack; -+ -+ /* LIFO stack to hold directory entries to scan; each slot is a -+ * directory name relative to the zoneinfo prefix. */ -+ dirstack_size = 32; -+ dirstack = malloc(dirstack_size * sizeof *dirstack); -+ dirstack_top = 1; -+ dirstack[0] = strdup(""); -+ -+ /* Index array. */ -+ index_size = 64; -+ db_index = malloc(index_size * sizeof *db_index); -+ index_next = 0; -+ -+ do { -+ struct dirent **ents; -+ char name[PATH_MAX], *top; -+ int count; -+ -+ /* Pop the top stack entry, and iterate through its contents. */ -+ top = dirstack[--dirstack_top]; -+ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s", top); -+ -+ count = php_scandir(name, &ents, index_filter, php_alphasort); -+ -+ while (count > 0) { -+ struct stat st; -+ const char *leaf = ents[count - 1]->d_name; -+ -+ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s/%s", -+ top, leaf); -+ -+ if (strlen(name) && stat(name, &st) == 0) { -+ /* Name, relative to the zoneinfo prefix. */ -+ const char *root = top; -+ -+ if (root[0] == '/') root++; -+ -+ snprintf(name, sizeof name, "%s%s%s", root, -+ *root ? "/": "", leaf); -+ -+ if (S_ISDIR(st.st_mode)) { -+ if (dirstack_top == dirstack_size) { -+ dirstack_size *= 2; -+ dirstack = realloc(dirstack, -+ dirstack_size * sizeof *dirstack); -+ } -+ dirstack[dirstack_top++] = strdup(name); -+ } -+ else { -+ if (index_next == index_size) { -+ index_size *= 2; -+ db_index = realloc(db_index, -+ index_size * sizeof *db_index); -+ } -+ -+ db_index[index_next++].id = strdup(name); -+ } -+ } -+ -+ free(ents[--count]); -+ } -+ -+ if (count != -1) free(ents); -+ free(top); -+ } while (dirstack_top); -+ -+ qsort(db_index, index_next, sizeof *db_index, sysdbcmp); -+ -+ db->index = db_index; -+ db->index_size = index_next; -+ -+ free(dirstack); -+} -+ -+#define FAKE_HEADER "1234\0??\1??" -+#define FAKE_UTC_POS (7 - 4) -+ -+/* Create a fake data segment for database 'sysdb'. */ -+static void fake_data_segment(timelib_tzdb *sysdb, -+ struct location_info **info) -+{ -+ size_t n; -+ char *data, *p; -+ -+ data = malloc(3 * sysdb->index_size + 7); -+ -+ p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1); -+ -+ for (n = 0; n < sysdb->index_size; n++) { -+ const struct location_info *li; -+ timelib_tzdb_index_entry *ent; -+ -+ ent = (timelib_tzdb_index_entry *)&sysdb->index[n]; -+ -+ /* Lookup the timezone name in the hash table. */ -+ if (strcmp(ent->id, "UTC") == 0) { -+ ent->pos = FAKE_UTC_POS; -+ continue; -+ } -+ -+ li = find_zone_info(info, ent->id); -+ if (li) { -+ /* If found, append the BC byte and the -+ * country code; set the position for this -+ * section of timezone data. */ -+ ent->pos = (p - data) - 4; -+ *p++ = '\1'; -+ *p++ = li->code[0]; -+ *p++ = li->code[1]; -+ } -+ else { -+ /* If not found, the timezone data can -+ * point at the header. */ -+ ent->pos = 0; -+ } -+ } -+ -+ sysdb->data = (unsigned char *)data; -+} -+ -+/* Returns true if the passed-in stat structure describes a -+ * probably-valid timezone file. */ -+static int is_valid_tzfile(const struct stat *st, int fd) -+{ -+ if (fd) { -+ char buf[20]; -+ if (read(fd, buf, 20)!=20) { -+ return 0; -+ } -+ lseek(fd, SEEK_SET, 0); -+ if (memcmp(buf, "TZif", 4)) { -+ return 0; -+ } -+ } -+ return S_ISREG(st->st_mode) && st->st_size > 20; -+} -+ -+/* To allow timezone names to be used case-insensitively, find the -+ * canonical name for this timezone, if possible. */ -+static const char *canonical_tzname(const char *timezone) -+{ -+ if (timezonedb_system) { -+ timelib_tzdb_index_entry *ent, lookup; -+ -+ lookup.id = (char *)timezone; -+ -+ ent = bsearch(&lookup, timezonedb_system->index, -+ timezonedb_system->index_size, sizeof lookup, -+ sysdbcmp); -+ if (ent) { -+ return ent->id; -+ } -+ } -+ -+ return timezone; -+} -+ -+/* Return the mmap()ed tzfile if found, else NULL. On success, the -+ * length of the mapped data is placed in *length. */ -+static char *map_tzfile(const char *timezone, size_t *length) -+{ -+ char fname[PATH_MAX]; -+ struct stat st; -+ char *p; -+ int fd; -+ -+ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { -+ return NULL; -+ } -+ -+ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); -+ -+ fd = open(fname, O_RDONLY); -+ if (fd == -1) { -+ return NULL; -+ } else if (fstat(fd, &st) != 0 || !is_valid_tzfile(&st, fd)) { -+ close(fd); -+ return NULL; -+ } -+ -+ *length = st.st_size; -+ p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); -+ close(fd); -+ -+ return p != MAP_FAILED ? p : NULL; -+} -+ -+#endif -+ -+static int inmem_seek_to_tz_position(const unsigned char **tzf, const char *timezone, const timelib_tzdb *tzdb) - { - int left = 0, right = tzdb->index_size - 1; - -@@ -461,9 +939,49 @@ static int seek_to_tz_position(const unsigned char **tzf, const char *timezone, - return 0; - } - -+static int seek_to_tz_position(const unsigned char **tzf, const char *timezone, -+ char **map, size_t *maplen, -+ const timelib_tzdb *tzdb) -+{ -+#ifdef HAVE_SYSTEM_TZDATA -+ if (tzdb == timezonedb_system) { -+ char *orig; -+ -+ orig = map_tzfile(timezone, maplen); -+ if (orig == NULL) { -+ return 0; -+ } -+ -+ (*tzf) = (unsigned char *)orig; -+ *map = orig; -+ return 1; -+ } -+ else -+#endif -+ { -+ return inmem_seek_to_tz_position(tzf, timezone, tzdb); -+ } -+} -+ - const timelib_tzdb *timelib_builtin_db(void) - { -+#ifdef HAVE_SYSTEM_TZDATA -+ if (timezonedb_system == NULL) { -+ timelib_tzdb *tmp = malloc(sizeof *tmp); -+ -+ tmp->version = "0.system"; -+ tmp->data = NULL; -+ create_zone_index(tmp); -+ retrieve_zone_version(tmp); -+ system_location_table = create_location_table(); -+ fake_data_segment(tmp, system_location_table); -+ timezonedb_system = tmp; -+ } -+ -+ return timezonedb_system; -+#else - return &timezonedb_builtin; -+#endif - } - - const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_tzdb *tzdb, int *count) -@@ -475,7 +993,30 @@ const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_ - int timelib_timezone_id_is_valid(const char *timezone, const timelib_tzdb *tzdb) - { - const unsigned char *tzf; -- return (seek_to_tz_position(&tzf, timezone, tzdb)); -+ -+#ifdef HAVE_SYSTEM_TZDATA -+ if (tzdb == timezonedb_system) { -+ char fname[PATH_MAX]; -+ struct stat st; -+ -+ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { -+ return 0; -+ } -+ -+ if (system_location_table) { -+ if (find_zone_info(system_location_table, timezone) != NULL) { -+ /* found in cache */ -+ return 1; -+ } -+ } -+ -+ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); -+ -+ return stat(fname, &st) == 0 && is_valid_tzfile(&st, 0); -+ } -+#endif -+ -+ return (inmem_seek_to_tz_position(&tzf, timezone, tzdb)); - } - - static int skip_64bit_preamble(const unsigned char **tzf, timelib_tzinfo *tz) -@@ -517,6 +1058,8 @@ static timelib_tzinfo* timelib_tzinfo_ctor(const char *name) - timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *tzdb, int *error_code) - { - const unsigned char *tzf; -+ char *memmap = NULL; -+ size_t maplen; - timelib_tzinfo *tmp; - int version; - int transitions_result, types_result; -@@ -524,7 +1067,7 @@ timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *t - - *error_code = TIMELIB_ERROR_NO_ERROR; - -- if (seek_to_tz_position(&tzf, timezone, tzdb)) { -+ if (seek_to_tz_position(&tzf, timezone, &memmap, &maplen, tzdb)) { - tmp = timelib_tzinfo_ctor(timezone); - - version = read_preamble(&tzf, tmp, &type); -@@ -563,11 +1106,36 @@ timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *t - } - skip_posix_string(&tzf, tmp); - -+#ifdef HAVE_SYSTEM_TZDATA -+ if (memmap) { -+ const struct location_info *li; -+ -+ /* TZif-style - grok the location info from the system database, -+ * if possible. */ -+ -+ if ((li = find_zone_info(system_location_table, timezone)) != NULL) { -+ tmp->location.comments = timelib_strdup(li->comment); -+ strncpy(tmp->location.country_code, li->code, 2); -+ tmp->location.longitude = li->longitude; -+ tmp->location.latitude = li->latitude; -+ tmp->bc = 1; -+ } -+ else { -+ set_default_location_and_comments(&tzf, tmp); -+ } -+ -+ /* Now done with the mmap segment - discard it. */ -+ munmap(memmap, maplen); -+ } else { -+#endif - if (type == TIMELIB_TZINFO_PHP) { - read_location(&tzf, tmp); - } else { - set_default_location_and_comments(&tzf, tmp); - } -+#ifdef HAVE_SYSTEM_TZDATA -+ } -+#endif - } else { - *error_code = TIMELIB_ERROR_NO_SUCH_TIMEZONE; - tmp = NULL; -diff --git a/ext/date/php_date.c b/ext/date/php_date.c -index 2d5cffb963..389f09f313 100644 ---- a/ext/date/php_date.c -+++ b/ext/date/php_date.c -@@ -457,7 +457,11 @@ PHP_MINFO_FUNCTION(date) - php_info_print_table_row(2, "date/time support", "enabled"); - php_info_print_table_row(2, "timelib version", TIMELIB_ASCII_VERSION); - php_info_print_table_row(2, "\"Olson\" Timezone Database Version", tzdb->version); -+#ifdef HAVE_SYSTEM_TZDATA -+ php_info_print_table_row(2, "Timezone Database", "system"); -+#else - php_info_print_table_row(2, "Timezone Database", php_date_global_timezone_db_enabled ? "external" : "internal"); -+#endif - php_info_print_table_row(2, "Default timezone", guess_timezone(tzdb)); - php_info_print_table_end(); - diff --git a/php-8.0.13-crypt.patch b/php-8.0.13-crypt.patch deleted file mode 100644 index 31a8c8a..0000000 --- a/php-8.0.13-crypt.patch +++ /dev/null @@ -1,45 +0,0 @@ -From fc4e31467c352032ee709ac55d3c67bc22abcd8d Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Fri, 15 Oct 2021 17:11:12 +0200 -Subject: [PATCH] add --with-external-libcrypt build option display an error - message if some algo not available in external libcrypt - ---- - ext/standard/config.m4 | 21 ++++++++++++++++----- - 1 file changed, 16 insertions(+), 5 deletions(-) - -diff --git a/ext/standard/config.m4 b/ext/standard/config.m4 -index 58b9c5e658a4..3ec18be4d7df 100644 ---- a/ext/standard/config.m4 -+++ b/ext/standard/config.m4 -@@ -267,14 +267,25 @@ int main() { - ])]) - - -+PHP_ARG_WITH([external-libcrypt], -+ [for external libcrypt or libxcrypt], -+ [AS_HELP_STRING([--with-external-libcrypt], -+ [Use external libcrypt or libxcrypt])], -+ [no], -+ [no]) -+ - dnl - dnl If one of them is missing, use our own implementation, portable code is then possible - dnl --dnl TODO This is currently always enabled --if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "$ac_cv_crypt_md5" = "no" || test "$ac_cv_crypt_sha512" = "no" || test "$ac_cv_crypt_sha256" = "no" || test "$ac_cv_func_crypt_r" != "yes" || true; then -- AC_DEFINE_UNQUOTED(PHP_USE_PHP_CRYPT_R, 1, [Whether PHP has to use its own crypt_r for blowfish, des, ext des and md5]) -- -- PHP_ADD_SOURCES(PHP_EXT_DIR(standard), crypt_freesec.c crypt_blowfish.c crypt_sha512.c crypt_sha256.c php_crypt_r.c) -+dnl This is currently enabled by default -+if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "$ac_cv_crypt_md5" = "no" || test "$ac_cv_crypt_sha512" = "no" || test "$ac_cv_crypt_sha256" = "no" || test "$ac_cv_func_crypt_r" != "yes" || test "$PHP_EXTERNAL_LIBCRYPT" = "no"; then -+ if test "$PHP_EXTERNAL_LIBCRYPT" = "no"; then -+ AC_DEFINE_UNQUOTED(PHP_USE_PHP_CRYPT_R, 1, [Whether PHP has to use its own crypt_r for blowfish, des, ext des and md5]) -+ -+ PHP_ADD_SOURCES(PHP_EXT_DIR(standard), crypt_freesec.c crypt_blowfish.c crypt_sha512.c crypt_sha256.c php_crypt_r.c) -+ else -+ AC_MSG_ERROR([Cannot use external libcrypt as some algo are missing]) -+ fi - else - AC_DEFINE_UNQUOTED(PHP_USE_PHP_CRYPT_R, 0, [Whether PHP has to use its own crypt_r for blowfish, des and ext des]) - fi diff --git a/php-8.0.19-parser.patch b/php-8.0.19-parser.patch deleted file mode 100644 index 8a28e4d..0000000 --- a/php-8.0.19-parser.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -up ./build/gen_stub.php.syslib ./build/gen_stub.php ---- ./build/gen_stub.php.syslib 2020-06-25 08:11:51.782046813 +0200 -+++ ./build/gen_stub.php 2020-06-25 08:13:11.188860368 +0200 -@@ -1075,6 +1075,12 @@ function initPhpParser() { - } - - $isInitialized = true; -+ -+ if (file_exists('/usr/share/php/PhpParser4/autoload.php')) { -+ require_once '/usr/share/php/PhpParser4/autoload.php'; -+ return; -+ } -+ - $version = "4.13.0"; - $phpParserDir = __DIR__ . "/PHP-Parser-$version"; - if (!is_dir($phpParserDir)) { diff --git a/php-8.0.6-deprecated.patch b/php-8.0.6-deprecated.patch deleted file mode 100644 index 1e6b93b..0000000 --- a/php-8.0.6-deprecated.patch +++ /dev/null @@ -1,400 +0,0 @@ -From 4dc8b3c0efaae25b08c8f59b068f17c97c59d0ae Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Wed, 5 May 2021 15:41:00 +0200 -Subject: [PATCH] get rid of inet_aton and inet_ntoa use inet_ntop iand - inet_pton where available standardize buffer size - ---- - ext/sockets/sockaddr_conv.c | 4 ++++ - ext/sockets/sockets.c | 48 +++++++++++++++++++++++++------------ - ext/standard/dns.c | 16 ++++++++++++- - main/network.c | 20 ++++++++++++++-- - 4 files changed, 70 insertions(+), 18 deletions(-) - -diff --git a/ext/sockets/sockaddr_conv.c b/ext/sockets/sockaddr_conv.c -index 57996612d2d7e..65c8418fb3a6f 100644 ---- a/ext/sockets/sockaddr_conv.c -+++ b/ext/sockets/sockaddr_conv.c -@@ -87,7 +87,11 @@ int php_set_inet_addr(struct sockaddr_in *sin, char *string, php_socket *php_soc - struct in_addr tmp; - struct hostent *host_entry; - -+#ifdef HAVE_INET_PTON -+ if (inet_pton(AF_INET, string, &tmp)) { -+#else - if (inet_aton(string, &tmp)) { -+#endif - sin->sin_addr.s_addr = tmp.s_addr; - } else { - if (strlen(string) > MAXFQDNLEN || ! (host_entry = php_network_gethostbyname(string))) { -diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c -index 16ad3e8013a4c..85c938d1b97b1 100644 ---- a/ext/sockets/sockets.c -+++ b/ext/sockets/sockets.c -@@ -220,8 +220,10 @@ zend_module_entry sockets_module_entry = { - ZEND_GET_MODULE(sockets) - #endif - -+#ifndef HAVE_INET_NTOP - /* inet_ntop should be used instead of inet_ntoa */ - int inet_ntoa_lock = 0; -+#endif - - static int php_open_listen_sock(php_socket *sock, int port, int backlog) /* {{{ */ - { -@@ -1082,10 +1084,12 @@ PHP_FUNCTION(socket_getsockname) - struct sockaddr_in *sin; - #if HAVE_IPV6 - struct sockaddr_in6 *sin6; -- char addr6[INET6_ADDRSTRLEN+1]; -+#endif -+#ifdef HAVE_INET_NTOP -+ char addrbuf[INET6_ADDRSTRLEN]; - #endif - struct sockaddr_un *s_un; -- char *addr_string; -+ const char *addr_string; - socklen_t salen = sizeof(php_sockaddr_storage); - - if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oz|z", &arg1, socket_ce, &addr, &port) == FAILURE) { -@@ -1106,8 +1110,8 @@ PHP_FUNCTION(socket_getsockname) - #if HAVE_IPV6 - case AF_INET6: - sin6 = (struct sockaddr_in6 *) sa; -- inet_ntop(AF_INET6, &sin6->sin6_addr, addr6, INET6_ADDRSTRLEN); -- ZEND_TRY_ASSIGN_REF_STRING(addr, addr6); -+ inet_ntop(AF_INET6, &sin6->sin6_addr, addrbuf, sizeof(addrbuf)); -+ ZEND_TRY_ASSIGN_REF_STRING(addr, addrbuf); - - if (port != NULL) { - ZEND_TRY_ASSIGN_REF_LONG(port, htons(sin6->sin6_port)); -@@ -1117,11 +1121,14 @@ PHP_FUNCTION(socket_getsockname) - #endif - case AF_INET: - sin = (struct sockaddr_in *) sa; -+#ifdef HAVE_INET_NTOP -+ addr_string = inet_ntop(AF_INET, &sin->sin_addr, addrbuf, sizeof(addrbuf)); -+#else - while (inet_ntoa_lock == 1); - inet_ntoa_lock = 1; - addr_string = inet_ntoa(sin->sin_addr); - inet_ntoa_lock = 0; -- -+#endif - ZEND_TRY_ASSIGN_REF_STRING(addr, addr_string); - - if (port != NULL) { -@@ -1154,10 +1161,12 @@ PHP_FUNCTION(socket_getpeername) - struct sockaddr_in *sin; - #if HAVE_IPV6 - struct sockaddr_in6 *sin6; -- char addr6[INET6_ADDRSTRLEN+1]; -+#endif -+#ifdef HAVE_INET_NTOP -+ char addrbuf[INET6_ADDRSTRLEN]; - #endif - struct sockaddr_un *s_un; -- char *addr_string; -+ const char *addr_string; - socklen_t salen = sizeof(php_sockaddr_storage); - - if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oz|z", &arg1, socket_ce, &arg2, &arg3) == FAILURE) { -@@ -1178,9 +1187,9 @@ PHP_FUNCTION(socket_getpeername) - #if HAVE_IPV6 - case AF_INET6: - sin6 = (struct sockaddr_in6 *) sa; -- inet_ntop(AF_INET6, &sin6->sin6_addr, addr6, INET6_ADDRSTRLEN); -+ inet_ntop(AF_INET6, &sin6->sin6_addr, addrbuf, sizeof(addrbuf)); - -- ZEND_TRY_ASSIGN_REF_STRING(arg2, addr6); -+ ZEND_TRY_ASSIGN_REF_STRING(arg2, addrbuf); - - if (arg3 != NULL) { - ZEND_TRY_ASSIGN_REF_LONG(arg3, htons(sin6->sin6_port)); -@@ -1191,11 +1200,14 @@ PHP_FUNCTION(socket_getpeername) - #endif - case AF_INET: - sin = (struct sockaddr_in *) sa; -+#ifdef HAVE_INET_NTOP -+ addr_string = inet_ntop(AF_INET, &sin->sin_addr, addrbuf, sizeof(addrbuf)); -+#else - while (inet_ntoa_lock == 1); - inet_ntoa_lock = 1; - addr_string = inet_ntoa(sin->sin_addr); - inet_ntoa_lock = 0; -- -+#endif - ZEND_TRY_ASSIGN_REF_STRING(arg2, addr_string); - - if (arg3 != NULL) { -@@ -1527,12 +1539,14 @@ PHP_FUNCTION(socket_recvfrom) - struct sockaddr_in sin; - #if HAVE_IPV6 - struct sockaddr_in6 sin6; -- char addr6[INET6_ADDRSTRLEN]; -+#endif -+#ifdef HAVE_INET_NTOP -+ char addrbuf[INET6_ADDRSTRLEN]; - #endif - socklen_t slen; - int retval; - zend_long arg3, arg4; -- char *address; -+ const char *address; - zend_string *recv_buf; - - if (zend_parse_parameters(ZEND_NUM_ARGS(), "Ozllz|z", &arg1, socket_ce, &arg2, &arg3, &arg4, &arg5, &arg6) == FAILURE) { -@@ -1590,7 +1604,11 @@ PHP_FUNCTION(socket_recvfrom) - ZSTR_LEN(recv_buf) = retval; - ZSTR_VAL(recv_buf)[ZSTR_LEN(recv_buf)] = '\0'; - -+#ifdef HAVE_INET_NTOP -+ address = inet_ntop(AF_INET, &sin.sin_addr, addrbuf, sizeof(addrbuf)); -+#else - address = inet_ntoa(sin.sin_addr); -+#endif - - ZEND_TRY_ASSIGN_REF_NEW_STR(arg2, recv_buf); - ZEND_TRY_ASSIGN_REF_STRING(arg5, address ? address : "0.0.0.0"); -@@ -1617,11 +1635,11 @@ PHP_FUNCTION(socket_recvfrom) - ZSTR_LEN(recv_buf) = retval; - ZSTR_VAL(recv_buf)[ZSTR_LEN(recv_buf)] = '\0'; - -- memset(addr6, 0, INET6_ADDRSTRLEN); -- inet_ntop(AF_INET6, &sin6.sin6_addr, addr6, INET6_ADDRSTRLEN); -+ memset(addrbuf, 0, INET6_ADDRSTRLEN); -+ inet_ntop(AF_INET6, &sin6.sin6_addr, addrbuf, sizeof(addrbuf)); - - ZEND_TRY_ASSIGN_REF_NEW_STR(arg2, recv_buf); -- ZEND_TRY_ASSIGN_REF_STRING(arg5, addr6[0] ? addr6 : "::"); -+ ZEND_TRY_ASSIGN_REF_STRING(arg5, addrbuf[0] ? addrbuf : "::"); - ZEND_TRY_ASSIGN_REF_LONG(arg6, ntohs(sin6.sin6_port)); - break; - #endif -diff --git a/ext/standard/dns.c b/ext/standard/dns.c -index 41b98424edb60..6efdbbe894b46 100644 ---- a/ext/standard/dns.c -+++ b/ext/standard/dns.c -@@ -228,6 +228,9 @@ PHP_FUNCTION(gethostbynamel) - struct hostent *hp; - struct in_addr in; - int i; -+#ifdef HAVE_INET_NTOP -+ char addr4[INET_ADDRSTRLEN]; -+#endif - - ZEND_PARSE_PARAMETERS_START(1, 1) - Z_PARAM_PATH(hostname, hostname_len) -@@ -255,7 +258,11 @@ PHP_FUNCTION(gethostbynamel) - } - - in = *h_addr_entry; -+#ifdef HAVE_INET_NTOP -+ add_next_index_string(return_value, inet_ntop(AF_INET, &in, addr4, INET_ADDRSTRLEN)); -+#else - add_next_index_string(return_value, inet_ntoa(in)); -+#endif - } - } - /* }}} */ -@@ -266,7 +273,10 @@ static zend_string *php_gethostbyname(char *name) - struct hostent *hp; - struct in_addr *h_addr_0; /* Don't call this h_addr, it's a macro! */ - struct in_addr in; -- char *address; -+#ifdef HAVE_INET_NTOP -+ char addr4[INET_ADDRSTRLEN]; -+#endif -+ const char *address; - - hp = php_network_gethostbyname(name); - if (!hp) { -@@ -281,7 +291,11 @@ static zend_string *php_gethostbyname(char *name) - - memcpy(&in.s_addr, h_addr_0, sizeof(in.s_addr)); - -+#ifdef HAVE_INET_NTOP -+ address = inet_ntop(AF_INET, &in, addr4, INET_ADDRSTRLEN); -+#else - address = inet_ntoa(in); -+#endif - return zend_string_init(address, strlen(address), 0); - } - /* }}} */ -diff --git a/main/network.c b/main/network.c -index 2c504952b2dd1..7f2f714ec42df 100644 ---- a/main/network.c -+++ b/main/network.c -@@ -236,8 +236,12 @@ PHPAPI int php_network_getaddresses(const char *host, int socktype, struct socka - } while ((sai = sai->ai_next) != NULL); - - freeaddrinfo(res); -+#else -+#ifdef HAVE_INET_PTON -+ if (!inet_pton(AF_INET, host, &in)) { - #else - if (!inet_aton(host, &in)) { -+#endif - if(strlen(host) > MAXFQDNLEN) { - host_info = NULL; - errno = E2BIG; -@@ -555,7 +559,11 @@ PHPAPI int php_network_parse_network_address_with_port(const char *addr, zend_lo - goto out; - } - #endif -+#ifdef HAVE_INET_PTON -+ if (inet_pton(AF_INET, tmp, &in4->sin_addr) > 0) { -+#else - if (inet_aton(tmp, &in4->sin_addr) > 0) { -+#endif - in4->sin_port = htons(port); - in4->sin_family = AF_INET; - *sl = sizeof(struct sockaddr_in); -@@ -617,15 +625,19 @@ PHPAPI void php_network_populate_name_from_sockaddr( - } - - if (textaddr) { --#if HAVE_IPV6 && HAVE_INET_NTOP -+#ifdef HAVE_INET_NTOP - char abuf[256]; - #endif -- char *buf = NULL; -+ const char *buf = NULL; - - switch (sa->sa_family) { - case AF_INET: - /* generally not thread safe, but it *is* thread safe under win32 */ -+#ifdef HAVE_INET_NTOP -+ buf = inet_ntop(AF_INET, &((struct sockaddr_in*)sa)->sin_addr, (char *)&abuf, sizeof(abuf)); -+#else - buf = inet_ntoa(((struct sockaddr_in*)sa)->sin_addr); -+#endif - if (buf) { - *textaddr = strpprintf(0, "%s:%d", - buf, ntohs(((struct sockaddr_in*)sa)->sin_port)); -@@ -862,7 +874,11 @@ php_socket_t php_network_connect_socket_to_host(const char *host, unsigned short - - in4->sin_family = sa->sa_family; - in4->sin_port = htons(bindport); -+#ifdef HAVE_INET_PTON -+ if (!inet_pton(AF_INET, bindto, &in4->sin_addr)) { -+#else - if (!inet_aton(bindto, &in4->sin_addr)) { -+#endif - php_error_docref(NULL, E_WARNING, "Invalid IP Address: %s", bindto); - goto skip_bind; - } -From e5b6f43ec7813392d83ea586b7902e0396a1f792 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Thu, 6 May 2021 14:21:29 +0200 -Subject: [PATCH] get rid of inet_addr usage - ---- - main/fastcgi.c | 4 ++++ - sapi/litespeed/lsapilib.c | 4 ++++ - 2 files changed, 8 insertions(+) - -diff --git a/main/fastcgi.c b/main/fastcgi.c -index 071f69d3a7f0..c936d42405de 100644 ---- a/main/fastcgi.c -+++ b/main/fastcgi.c -@@ -688,8 +688,12 @@ int fcgi_listen(const char *path, int backlog) - if (!*host || !strncmp(host, "*", sizeof("*")-1)) { - sa.sa_inet.sin_addr.s_addr = htonl(INADDR_ANY); - } else { -+#ifdef HAVE_INET_PTON -+ if (!inet_pton(AF_INET, host, &sa.sa_inet.sin_addr)) { -+#else - sa.sa_inet.sin_addr.s_addr = inet_addr(host); - if (sa.sa_inet.sin_addr.s_addr == INADDR_NONE) { -+#endif - struct hostent *hep; - - if(strlen(host) > MAXFQDNLEN) { -diff --git a/sapi/litespeed/lsapilib.c b/sapi/litespeed/lsapilib.c -index a72b5dc1b988..305f3326a682 100644 ---- a/sapi/litespeed/lsapilib.c -+++ b/sapi/litespeed/lsapilib.c -@@ -2672,8 +2672,12 @@ int LSAPI_ParseSockAddr( const char * pBind, struct sockaddr * pAddr ) - ((struct sockaddr_in *)pAddr)->sin_addr.s_addr = htonl( INADDR_LOOPBACK ); - else - { -+#ifdef HAVE_INET_PTON -+ if (!inet_pton(AF_INET, p, &((struct sockaddr_in *)pAddr)->sin_addr)) -+#else - ((struct sockaddr_in *)pAddr)->sin_addr.s_addr = inet_addr( p ); - if ( ((struct sockaddr_in *)pAddr)->sin_addr.s_addr == INADDR_BROADCAST) -+#endif - { - doAddrInfo = 1; - } -From 99d67d121acd4c324738509679d23acaf759d065 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Thu, 6 May 2021 16:35:48 +0200 -Subject: [PATCH] use getnameinfo instead of gethostbyaddr - ---- - ext/standard/dns.c | 34 ++++++++++++++++++++++------------ - 1 file changed, 22 insertions(+), 12 deletions(-) - -diff --git a/ext/standard/dns.c b/ext/standard/dns.c -index edd9a4549f5c..540c777faaba 100644 ---- a/ext/standard/dns.c -+++ b/ext/standard/dns.c -@@ -169,20 +169,30 @@ PHP_FUNCTION(gethostbyaddr) - static zend_string *php_gethostbyaddr(char *ip) - { - #if HAVE_IPV6 && HAVE_INET_PTON -- struct in6_addr addr6; --#endif -- struct in_addr addr; -- struct hostent *hp; -+ struct sockaddr_in sa4; -+ struct sockaddr_in6 sa6; -+ char out[NI_MAXHOST]; - --#if HAVE_IPV6 && HAVE_INET_PTON -- if (inet_pton(AF_INET6, ip, &addr6)) { -- hp = gethostbyaddr((char *) &addr6, sizeof(addr6), AF_INET6); -- } else if (inet_pton(AF_INET, ip, &addr)) { -- hp = gethostbyaddr((char *) &addr, sizeof(addr), AF_INET); -- } else { -- return NULL; -+ if (inet_pton(AF_INET6, ip, &sa6.sin6_addr)) { -+ sa6.sin6_family = AF_INET6; -+ -+ if (getnameinfo((struct sockaddr *)&sa6, sizeof(sa6), out, sizeof(out), NULL, 0, NI_NAMEREQD) < 0) { -+ return zend_string_init(ip, strlen(ip), 0); -+ } -+ return zend_string_init(out, strlen(out), 0); -+ } else if (inet_pton(AF_INET, ip, &sa4.sin_addr)) { -+ sa4.sin_family = AF_INET; -+ -+ if (getnameinfo((struct sockaddr *)&sa4, sizeof(sa4), out, sizeof(out), NULL, 0, NI_NAMEREQD) < 0) { -+ return zend_string_init(ip, strlen(ip), 0); -+ } -+ return zend_string_init(out, strlen(out), 0); - } -+ return NULL; /* not a valid IP */ - #else -+ struct in_addr addr; -+ struct hostent *hp; -+ - addr.s_addr = inet_addr(ip); - - if (addr.s_addr == -1) { -@@ -190,13 +200,13 @@ static zend_string *php_gethostbyaddr(char *ip) - } - - hp = gethostbyaddr((char *) &addr, sizeof(addr), AF_INET); --#endif - - if (!hp || hp->h_name == NULL || hp->h_name[0] == '\0') { - return zend_string_init(ip, strlen(ip), 0); - } - - return zend_string_init(hp->h_name, strlen(hp->h_name), 0); -+#endif - } - /* }}} */ - diff --git a/php-keyring.gpg b/php-keyring.gpg index 870d816..b5318b2 100644 --- a/php-keyring.gpg +++ b/php-keyring.gpg @@ -1,415 +1,320 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -mQINBFjxRtoBEADkS6+Q7afwYDPFnqJXuyF2ZIvXysDBrpr/xbre4jVeiC/HIELa -QedOJqO1V+BgnTRkfhor+Yq3mZ1un+6zJIiFcm5Kp7sPZjh15JF96PsA4e2Eh5eC -eJzjXHj1nAKXfn5+CgpYEyL30r1/ACkmo9TKIiUxIDZRkZvxjY4UKeo+EoJo0Viu -tV8mvSTgxaz9gzPhZ5OJR8zECT8j3T8d+tBD8wWxxmGZ0veOu/MBew1C/BDr8RqT -CXDywUbyNuSsdb3a5aLuIuLekSJVSCcFwPIje1WrX4FyC42+elOp0SXpjWzdb08N -XX4DEY8zVyVXI1ScSpTbslffcFkY60NJhjpP7t856L9vTLRfHIM9BIdSYH/ar5mE -Q0vyJbiNfkx5tIMnEmnIYbmnjjmcPZDKZ4PyQEUEWF3DqNOOAWhk9HUMFEkANkd1 -vEcNNQxgD2eOJM6egfUv9KtuAEcRX2iDu3gIyE+55x92VVoEJDu5M+Q6PYGUIMh7 -nz2gS3lnlpG2vquQpqDS9UogsZ8L4NsukdP2ixRFnD9qaTOemqRYwIptOX6wvrtR -7PmWOnnRZ5OcpK5/qyK9iCLY7bbHDViBoV0uLEHNPTDHjrALJrqS+dH1glYid/82 -OvKE3KREjRpMOW83nNfQcqkMi9fhH8WUkz6OD6JemvB/s/CwBS2w3+9LAQARAQAB -tB5TYXJhIEdvbGVtb24gPHBvbGxpdGFAcGhwLm5ldD6JAj4EEwECACgCGwMGCwkI -BwMCBhUIAgkKCwQWAgMBAh4BAheABQJY/TOeBQkNNFUtAAoJENvbOXRw0SFy1xYP -/jQeNv4WUPK3M0Hl3EvEnOeODxePysU0khvgnw/mRtQu7BOwRdbB0HWv8Kx0HXL7 -XI4l2myHRZbd9PrBlG4YFYjZqWmqQ9WGlLBxDpSJNeROpTgKjhxA2hOl1xH2Et5k -bRcZzpJJ9zuD3rqkq80S3u/UAB/QzYfJWKnQBTXi/3psZNAVTRp3/4sEn1kCfEnl -NUYPih/NqdXE0frlKeITOAmatD2cjYcJlc/ETLil8Sq1nIgiE/++KZalbcXcRSHV -ZSd/L+fNlMDIh6k9pjcE562oiyyMHKed/pAX7o1BqlKqSwxjQoNskpICVFkyMv+P -7cIPyOxJa8kaGyyHND+8i1GzvwcPhLYeOWDwmiXBs4Ea8Z7KWxhi19zlxMrEfAcf -FIomcRoxfzcnSY3FVJYIoEySK/IBiivqeunyeDA2JG1vLSZIV5hNicUihp4hnhX4 -Z1gElN+C68P49SZseFzxvzwMq5RIUbWVwIh2+Wj51/UrULgoM4qNkgejDLYFyTxb -LfXq+Tk91UXdpepBHvE9KFVqh4MbIlyx9TAzOizqLdZlnPRwLb3rWBLsv7XbCTeY -tp4jVU8Q35hnvGFy+GsSROJv04mJW+whyz+zxOEMPiVbVA5um3ZbSj5oou87M9Li -JtrUOqNfyyqddLC8L5LgwwlYKqP+W6Q4LMf/Whoj3FFCuQINBFjxRtoBEACk8wfJ -qP03Hz6PX8br3jEUllSngdD/28K2C4RVOOr71u4FJRcEMR98SbPnCNIUt4KdedO1 -DJpYac1XvIaVBbLxEcBjRMWNhBgZbxoQzPjFTWHQ/UwHZPiiwQkL55fN1ejBEacD -V8B1JwqjcBbii6zItLUV/gxGH7Jce/f7KBM7vWlaP+xHpmd+iPK1swK5wNQzDL83 -b7NPyj58fqlmh54Fr+jcpuUjynaYfjtJsgwc4CScdai7FclctLMg8Y8DW7/bkqf1 -BQy9Dik82IWSN4wgVM1eWSGx+PzPlshGH/C8B53U353NcRhjFp3zX31wQhsJrA7J -p+10S3HbXGrr3aVGMMq3dqSBGp38iKJUmJ3zyVvby5Mk4+8FFmMk3gVuQE52pW4E -OlSVQNQC8yzYsgaG/4N0M8DRpbfPhT5wiD/Qcb7MUXTE96dzs/KcyPJju/aq4cJ6 -DgpbJmM6OZwnx5HYwa58RgOwAVBbsxYOa6oS+Fj02eaiUETwfPHtqF9juCcM5D0m -cLZRT1I4zK60qPb6ZDzuFguXg8hm/djjh2YlDFCNKqCZHktCISTWX5u1cyF5j+UL -3fsKcAAcyiHZV9UH8tr6v0i0P19Uje2ZHk9utJggYSSM0uyqGhmiyd8su2FqitBl -tvTo00Kc8sv4AcDmCng8SVO0og1wiJZdiHJI7QARAQABiQIfBBgBAgAJBQJY8Uba -AhsMAAoJENvbOXRw0SFydu4QALeYG2PPMEOQtMV6jOVT51U0Yo0yl94RJoQCOCCT -/JkUyIDczHmtcVABrpitX3tFl4vacJM3uKWKbzbM7qO2+Hd0u6rxO+o8WUGRMZp5 -IgcbagDOHs0vorVN2Yo0Tl8RoqW91MCvlRFA+8snmKjWfTYj8jxbhIUEtVrIU+5L -DEgDP+T6PvpaVeXfLYItieCsZgib3qPz5mM49jDH84XG5F19kx0QtVGJs7n8FrcA -GcQl/iMrm7dRrRuh9394ongIum0uld287Zlg9q12iJiir3w04Npy43G12RXq9TD9 -aRfbMhQ+HB5Dnvf42mfCfGvalSE0rg9mh1KeaiQUXxCzCf1D6a3H50rh1IDn363W -n41/Hr0j4ntVjvEJxs9nUb8qod2HMOPLOFqwxck7ueGaeDN/GZ5zjPdIppYwE3Lb -CM1ZFLkV+QhFef4zXwml1/AnGGFULgGYorwGCchizhU1wbZVcoUF74MtprnAsuPd -Fxlw+4yCcFEeYVpMDQg/ZfZ28T1GruGHqLJqIVpOum48Ec+fjnHAZAH9dOs/qhBu -CLE+5xUoVyP2lwt0MaHs5SLmxRKhcV6IWRJKTlZ9YdDXbVv5LisL/qDOTjRj7vOg -CPRhklyA0JjFeyTDpSeAWXFZnab0nYBPWkxtdxxRruEeQPAYP1vl0O6ABMxRAI6o -6zIImQINBFklYukBEAC9tCSjnoNs3ucOA9RPfKcuK87JD9jdet2UUsw4DHd/Hwmr -t3T7WKoH1GwRp+ue5+vzXqdFRZ4gG+7tgvUsOtNb5rh22bTBsUIeGsvm/omJntXC -FQhYcfjtk04p3qtgJ5PGjZahCRYg4aQ2tGp2Mb8auFuFPsHtOHLWQCL7vQShsN9m -EkEzAQZnn9QYL+IvTQVSKsRy8XcHYZVk2uT2xQY2LvkAucWF0TrjU2LJ2IFdepc0 -+jz1xasBR0afT9YccHpQH5w8yOW+9o/n7BiMHfgT0sBMdKCfKVoQrQe0CsFnqc/+ -V4NsnHkyUrbfKiIFm+NOupIMpL6/A+Iky5YpjIIUHPuVL6VAY6wm463WI8FPk+Nt -Gekm9jqISxirkYWsIEoZtCrycC8N0iUbGq8eLYdC9ewU5dagCdLGwnDvYjOvzH15 -6LTiE/Svrq2q0kBDAa7CTGRlT+2sgD89ol73QtAVUJst99lVHMmIL1cV4HUpvOlT -JHRdsN6VhlPrw6ue+2vmYsF86bYni6vMH6KJnmiWa1wijYO0wiSphtTXAa0HE/HT -V+hSb9bCRbyipwdqkEeaj8sKcx9+XyNxVOlUfo8pQZnLRTd61Fvj+sSTSEbo95a5 -gi0WDnyNtiafKEvLxal7VyatbAcCEcLDYAVHffNLg4fm4H35HN0YQpUt+SuVwQAR -AQABtBpSZW1pIENvbGxldCA8cmVtaUBwaHAubmV0PokCPgQTAQIAKAUCWSVi6QIb -AwUJDShogAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ3J/40+5a8n9OJQ/9 -HtuZ4BMPMDFGVPUZ9DP0d74DF/QcT0V101TrdIZ92R4up56Dv40djjQZc2W9BmpP -VFr/v6qdjapdPH5vvmatnQDz/nIOfo1iwPWGzvmKnbDBQ4qJX7Jd6PdD/YorcD+0 -tOQNKLIGE9ZFQnS80iz9iaTGzvQKEQKEMugQSf3kG3NBEGqKQBsTTrBQOUJ3g8w6 -id2/qJtrDRbL9TuCU77Dpx9HUAnjj/Ixlvd4RQDa/BCYzGYJlCyTsaVW3qc7DIh/ -pRadqtswghSETtl6SSo9yHtoYOGTxXO6UikLEE8miOlaOPQrC9hCD+LSGc5QhNLB -EKes0l79w9kw9qZ9Xfh4pw/hf1N4O3kPHyUg0q9QaX1XKtigjTUcpdf2Kq8LtlB6 -0p40eZE2dV3T11X+rcn33pFSXMeTJeaNKHXoeGcva/gyZVtvi8iJhqtw9QOUkxRD -vGB+FEUId3Z1yAu7ZAz6qiUCgxK/VJ6/kBb+YYR8K4FHLmNOd5KoiTerKQu423uu -MYlYfBHpVZ9YuEJQnTEpizFEeOgaixx5RDLnoPsd/x59VS9eaaKotTPbW/rEp7Sv -bKj0dR5WMfGyd/OJrcWVZy8/Kh5Mc/4KOHD+JGAp0bE113TkEEoTZ8gNHFdLdv52 -V9eXUkeT5IxyThZBkUy6palDM8A5vaf6Eet8xOLy9XG5Ag0EWSVi6QEQAKujAODv -sdbt5n1dO29Nj5htbmt6M2A7eOjt7yUj4UMtBaGOA08O0DVA8MJkvepMq9AJBXHZ -Mi9Dycw3rxBHQDqHJJMwghu3RoQw1y5Wym7LiLhoWSU/wK0BrKOULBwh+kS6udKA -4oWrV/gr0JGmfdL8dZjBF10kHCfCcjcjWtmIp2GRaoOKTlHCviNmRxzyqba7zE0Z -c2maQ/4w98BI83GqD1bT8gF/5qwSI1hecBwt9oS7EbZ1ZiE8SSE8Gr6OR3p5UNHb -zqxUWy8W4r3qulCLc6g1LPXP1V59cMxX9jQJ7lSdv0k8C6Lb6t9Wm8G63hNYgRCA -mNW5EnqieTrx45K9vqoqfQK6Apfy0UoOquiuK7QClT3wBd7kmyKsCfV0bwRA/fV/ -sC1Rniu8PV7CRk9ryudUXycKq33pSkrOfZjFIQhCqdJkVc2MPbAuj2pOMutKwGKR -q/Mt3O8nEfGqWaJPa36C6dhlPqjEGTIEk5P493DzM7fj5VVIWyUrI8Vm9FslSvzI -LcONHMtKtRs2cRYA085NKDXGN7i5Am7L7ZONfqVs3V493ICwmALzeSULNLiMtX+E -SQfdWCS3Hosnjbc6INDg9BRhFt5MEWJ/qchM3g4NQuukqtOYsiEUw8bCzepwJxXp -lvNYu0yQDxvP+0RzjMozruVz3VoHeyf6rSWvABEBAAGJAiUEGAECAA8FAlklYukC -GwwFCQ0oaIAACgkQ3J/40+5a8n/8gg//a75gXQ4csiDUTsUndb94EXqraffmMcT5 -oCzfcP+Mecbuv3G8oQZeLRchsW2i4QecnvPwrXAJcF8kJuN/KZLyeh21PWBy55wo -/2nbwOvQockXpK5yVeuc3DmdTaxDnW9u3QpSwbvkEyoCpeHH6rZ1wjqn8Qi1k7nj -C4qgXpRrLQdRsS5ULXpf3IM+vaxbQ5avVnNRu5zMA6M/0reL0RSjgMfnk+3AwLCt -uMiy1aStCe8V7Y60/oauk+IZA1VJlSz2n3675YD7TkTZKkYIYZHTBw3ZPVJo08jd -RUXtGJjpOyyWVjP7GMKvZuQVWqcFyc8QHHaIPDLkdi7B9YFPWqfwJPBfUXcdzjAX -I7N4XsSEeMm8S8SC4FKCidioP/A+bamKcONHUuZ+AztvLh24ZTkqzA/sRRYpbMGU -QzpcDbastuXG66s3e9pJa0R14011A4bofy6Ureh9q6TQNOkNegUUdjbGSd1bfNId -QXRH0+LBV1oaY//v+aBjswy4hJ5oXmQj5jQKFitRCP9jzueyDdMJZ0j0Hhh4ItCz -FV5zIKtWiy7pRp1DXq9LjoyWeeLfKu+HrEGjMwyTGJiMjcL7oCHeiV/a+fY92wpU -rY1/mRVLqKqDIA6/iEL2DVf21U7rXY26xxvf4QFImZaYLwKQYLe8TOOjDA/I9bR1 -JJmh54yw10CZAg0EYIdBNgEQALohT1pcSlW4sk0DNfAvur1W3U+TEkevuQnKdSD/ -chKs50nLYRuiVrsZsR28tnr2j41uwvm+Y6ZPYAPSkQZ8yAT0pYnXbaIR83iGtZOH -P6wdxV39Mpf0T3yD4dOmgka1hynqNjEbRhE/t2fXNKf0JrBUmkyyhLYbQlkH+raU -gQug9EsyOJxEMER9qZM+Le/JiK5/i+8JxhjPcAQxiKu3l/usGtU6zcVUGjMSqs3Z -89Fa8WBOeGxDwwSKrn8MyyfEWrbCCF4Ao8gBeFmIkWgoeyumIAA0SYZkFjaltbTm -sFjVmYmmLXIKtKTnzZx0+jYJr42s0Q8n2ymgSKcC0Cmn+iuKslhuMpWJaqaHuZhj -K/80BArAYETW6ne1IZWPSsobd/2x4u9iwCkd/SWERA3/KnML6lgOVJfNbFxDxuJ+ -LFvpe6VoSAHlc4fC6+lMroeg011kzjgWX4H94Bdp5svpWHQ/UQ3/YMGvgUY1vy+V -d28bGzuslsnz5o2Zh40h2Dmpti5s2w7Z9TvLD2RMM1N6PrdCXVrQx3bB9nN7x1nL -osn+0v/8gfck93SO9PXLQtUgqhhWsh+/TrOiVWmWqLvbN95zWSnDRVHp1P8vKEGX -I26aokxEd1mVfilQKnHv2k6ieMc1M26GM48uXNqLSihYG2WgNl80agVFU00m/+Ea -9Uz7ABEBAAG0G0JlbiBSYW1zZXkgPHJhbXNleUBwaHAubmV0PokCVAQTAQgAPhYh -BDm2QTQ9jBBLKxRtw/nDncC5aYVEBQJgh0E2AhsDBQkGvxrvBQsJCAcCBhUKCQgL -AgQWAgMBAh4BAheAAAoJEPnDncC5aYVEzJYQAI72cCn9qEq/tRB9n9t02CPgFtLJ -VFBIJIfWeCRLQsv2vmqWGa9ehqsPT3jd0yTqNsV2hRTkzvNnrbIQUtHbRAm2pNz4 -74ClcIHuqbdk7gwfyEHw2vWpEtiVTHbJA1aqQypBrCjdfJt0s65wg4HSpodSelJO -A0shWBhBhSgU4kUvxJKPTcF1UM5iAjmm8OVIQLUeZDLFMJV6FAHmOG0JmvGMhPp1 -Hd3YdNgyyhlF1Jrqx/MK+eRBXbXSAMRSmBuUcV5p16bkt1CQ/vU5Nwi3B2HFpsva -5j6/9NZr4V5q8i2De4CyIpXj31fsKjfgs3k2ShIDUh6rvxyhkCHq1jqc5vYSltnF -9bIEht/Mn383LUoL+vBejY/UIRKShTt6eK6lcnAxa/ujb4nNvoP+UGHCsTRcNK+t -oujDxSYF1nI0zHGKCmNRmEyjW6Kp4eNspoNkm8dAwGaEvgvVNM5Jo5zAI/i4jBO1 -4lG7qTVhH1rVUFOUDKM+HMD6AdiOSp2dXXmY5Xa4OMJ8qWbPEUQP/qzFdceQL/Yj -mzTQOaorhAdB/2ULPiB0XhSJpuz3HSe0Juz8sBVCpabAQHk8++ydOfWRb7hR1oxS -6qJi2TIlT5vOR6X8v4kccxmvoQQbnSdVUTHSgbp/ifVFITek8Rbe9aNRnu4i+NOk -KgA3swgzlkJcKfDGuQINBGCHQTYBEADY0/Oat2b8EDcNSKPJNdyrQlDQ+N2fyTbq -1XPThTe5f3nRT1jepYqfsi/i4/6rza2AMvyxPO7AQSsHYlBYHxccqCH2Q90jCTu7 -iUJyU65Kx3aZC3U7VE4+jl81W5/b5qqjvZNRxLgDZDnvO7hBFh7b+jj7x1ABsHdw -q+zXjmg2mJCBsD4ba5jQaPr+nirvhr/Y744mGpaVWRlg7d/LhL73GRy546DgCVej -gd56vMsi2HBy2BKtjxIr2nd2yJn12+A5yenuagOVpye8F5Dy7ULFJ6iYe1/NpoVn -yipv3m0hE4C0x1vIw8tiXR85cb0aGuYgjOgEyLCE9INmMQ0ZZd1JqZwK2IyWiy0n -DNVJXqkzc3YjYZcrYiBb8dV7kvAf0E+UniIYTYtBU2rOWBM3aTT47Jh6ftss/tQ4 -e0HLeHZpvpWwJtkPHb1jGD/08icZH4XyVxIlEMhziuAZdBDTr7v7xSmqPrw49afW -iXfROV01j94tFdvF48wDOIb3qIBBbsNddqMvHPTShq2wMHlnylVFM/0CJn/yxezB -cuQfRVWeHg7lbzSt0HD29fBz7MlxoOSesmJCN+swoSy4nZ1nhWNHEaRh32Vn2H2q -4ya0rZFEHk2fS6WWBMTh7cjinmklQVxAhB99d+EYCZ4SHu74Ats4LvAsdJwe5I9b -lOIrYecwNwARAQABiQI8BBgBCAAmFiEEObZBND2MEEsrFG3D+cOdwLlphUQFAmCH -QTYCGwwFCQa/Gu8ACgkQ+cOdwLlphUQt+Q/+PWBVFPl05+TbJBF+1yyFXeH3VFjd -zwwKX+z5FgFcuO/ux4Tyef9nVUboiI9zCwEliczljyho+++Utzb2yG7sPwwsls9L -eOA3eb4y9pTsjqEfu7jGIbtIIUGqPtet7x4m5Og38qyXnAFUaJz6JJiFqbhekeNk -SPK/mIfySxkeHBCiyIuvWiAQYFzBYN6DsOKEjjW0HzayKoofKE6fTomaKvUNLs5e -gyvpuJQA+jtF/UFMWHXwE1UF+CsYCmBRR8uVffYzKt1PAJV3HKhRgcrvUudxoMNs -Ifl8VFlQeC6S0L3ZK/yyYW2hFyjpLEYwrIbSDRXzZyekhC12d5MRVpo+xqMhoZGY -iSkFHDfvedjh7htEvjLEDPtolbzZTbdrCFTNnKbTkVAV7z6Sx2AaBX6tCPXycqRe -I1nB1HqGFLOW9zT4a7FaDAy0o8glTx8ERPjbIBy9R1hIIB5ewyAAP1feG5Xfuj6q -Vm7IlELvft1kGvB0gm9k3X+hnbwIVzzgvGuMvl5+NumrD8VcoJ7UvjsFDRsvpHIJ -7zL2rEp4XZ8QwvqOSuYfbxWSTJoW5psyyHurBC4ZF67YFDLB0PiK/CyB4VxYHe79 -GU5ykN+r8SR1eavNndhUFo94I3QQ+999x0DvOhS54Uj4kKidZuZ70yDeh7761wO8 -wqWvQdQZUVULCQWZAg0EYGWinQEQAMQJ6RQqrrZgYJ6SIfzJPsC3zFd00C/UxLQo -aaiAQHEPnEQgjnAPqkvspSE7MpmyAohbUzXVnDO+ycxznIkLz0yYjs/m1qVB6hTM -w/PlD10ELoA6m3om/2E1vQQI78U3w3evBgVlGLzBIXWKLX7ZsBSm4xoPmD9mmisM -sM0xhqQzVuGm0I81gvKkIlWHPB+TqUWBpvDwmIdCRuGis7810OBKaMmTQ/rdhg1T -YZInZPfjeuW+oZ8Lqs4w3cfmyuDbbKQN8b1Qd2d9lJwkudI6KhIyH7uU0F1GeHIg -i9hZJZZcnlDiqtcHZ5YYEUHEzD6rPAL0LoUFpS6dP4DFch8R4oBpW8XTjg2BzfwZ -RCv1IuIgd6HhEUcuWj5QGMi6huCF/2WVDEoGs/K32Kyh+1Jg4OOOpuLP0/YqvsRO -AMbdY80xppR2yMMtpTJPhs5aCykZ8ffHKEsh4VGvi+xFIwuOGElqXoALFPas8N+D -5jXnJQR1/2zekei9YiM6jDXps0SIChBL6vG05cua6X5K+71YHHlDoUubb+tjiIHy -FYtzEe1PPMiLl6XtAdqllLqUQvy+McHgdqNOIU+FxbWDWjDtZ5hlDdZ+sIlz3esG -wl/zQQMdRdTsjcNuElOdl2pMmLlA8CvhJM+IkHVsIHponLtBqN0Ibrw+Sh1kX0sE -cjkfrDSJABEBAAG0KFBhdHJpY2sgQWxsYWVydCA8cGF0cmlja2FsbGFlcnRAcGhw -Lm5ldD6JAmUEEwEIADgWIQTx9pIjj7wWZuWlzNQZn53+9v+6/QUCYGWinQIbAwUL -CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAhCRAZn53+9v+6/RYhBPH2kiOPvBZm5aXM -1Bmfnf72/7r9wugQAJuMXAsnTk2m4Esda1R66IaOx3hms49hTtoJ3XTkOP0z/Y89 -66mJ0Zp/tjhof74jRwN+Eo9R0Vc4WpuXdL6ZaOm6alc4hYsT+13bO1hNEXFP70OF -3sithHac8wShdeutBdXGW/DcR8m7CXOsNWdQAlbYnCb3gt2zTp4DTrxmYVP4YptB -sQBQtaTqHlO0K0UGoHEkqk5PbbOeuUvvBAyeSEvislOxeSCQakBXFVROKojd90Qb -i6XFlNvZWzPgBHsrVRKuopgiNqfNAKz/n5ruhZcI4SKdni7zmv9CLiBO8P/qqzta -9Wv52z669MgPRMfODJr7Q9pG6AZCAm99oKCUStX/adKGBnfu0mx/v0bIyK7YSWp/ -8l4ioiulBs04xeZ1S9T6nMEGry8k2qlErcGI59DAR08aOAbKs/42W70Eoxepx8pw -S8KSyCfTCuF78bDdxXv3uutYb+A1AiHspu+esjJscgcXNRPYruQFBDUQ0aUzVrns -bePX6i1ZXYkPUTSRs6Hu9K8sJQ+mr5dTEae28szDxfN9mPqlNGbsKc21CsXwOJhU -IgU6a32gtZ7xq4g/A9DYHY1jSPhKi2q5JMbckQ2qzrl17zXhVISEcPTebQ0Qcu3Y -S24+k/mAqIGCrlSnFtLOf6MPTtL8JpeW9fiuys2spb/pHhqmlCevbda8CUtLuQIN -BGBlop0BEADLZJnHlI7dfEQ+thWKLLdLpd0MZBOugCqWjYdUfL89OY60W2C3Lrzg -fewjiNLxBzwvqmgEYyQURtlV7o04LJVtyO1B2b7ZQYQoC6gu+KV5z+8w1EOs6G+M -INda/QydjQk8ymChggGdHtWtGzTZ5K1js+e8wJgkF00n9YCxkkz+jJCK1L7w73vt -YvS0qYea1UVxmGG+cBsfQ9GbweRl6TvSjlmLtl7m6h1cpGDQrnyyp/yrfONLby1t -Q32lMhfH09XAPHpJWCfhv9dovgHHtb4Kroaj82UAZz2Je2Rn7SJiACLvezWEFTZM -WClntlHqHIVtmasntzhzzgK6E1IH67DgWR3m82noLpmbYlHAOLmNBsOYRGdfOQG2 -8L25P3HrWV9APikwdPHg4/0tKLgNzhB6yO6dj5Hs/YRsJD0Jn9X+cCNasP5VTLOF -sZD4J1i8jT8brlf/f367qOte3aFAPQq7OFYPvpFY/c0J0D6eb3FHCxfejVQL4YV4 -bg3HOUGynUeBGwHgyQJw/LY0LdCejokylQZr7Dj8H4l3b6x85UhJSKRoIin+c8aX -iI7/2CJbFDAIv3sovyMsAhS+GyntxIpYmoAl0jrqRCr6CWCaFl1Tjh3xrJ+pRCSk -TVq9OASHUqAb532B3Tt+DJzwrlf4qtQDFz7o7lPGXMnxYLW/KEa7QQARAQABiQJN -BBgBCAAgFiEE8faSI4+8FmblpczUGZ+d/vb/uv0FAmBlop0CGwwAIQkQGZ+d/vb/ -uv0WIQTx9pIjj7wWZuWlzNQZn53+9v+6/ccvD/0RXb7doLc6YilekZcEqtvvCrgo -/ZDbda1tjRbpQGyLy9J9whIdD7G7lSoGILSd8U18gCL7PZq96tGq75CDy89u0vI+ -IQ1WemRlfrBZb5qkSOGO2Yr/VYVxxjZbtYiM44aJyrehhA3MCvwzyP27iclH7N0X -sXgJOF1p3AVEfuXHhAVSbR3tkLPe7osXKyDUgUCuvJIPLSglCqPHsm95Xch8PpUX -JRemPpFnsPIlqDKu/vfIrDMZtnEFBog/afjA6sqmC8X2BTKF6Tiv8KKy0divkwsm -dAq+We0vkkIMq1PMc2UkDLv8DujpF4TXMvBXO3AWoKPDNt6L7zMUdymto5TIIA9W -sIbn+aGTfbfSflJlhlzJ53nyzl/x9ukFabwp7jjF6Vyh7KYMQE6ob16JWTo+AZY3 -mvKoUXw6jwGonaBjNkuR9Em/IyjXDx0tiKKaNPdVh8Tg8pcGNt3ssroEKWqLrUjW -lrso/+QPeH2Gl5+NjQYSIcQOcYo/MGuiikA9GJu088+IgJ8bmTiFgMuq/ZLAuQ6g -kpZBQXAN2hVIkV6H5IJwp8lbyf8GG0qBCk9Va03+PZjhZLu/fb9EzVmhyX95cENY -NUE7QXQplsJZqchsBbjgQE38DWiZKT7uyRhZUCUD3h9ZIsYo63NrQNoA+xkz9tub -+4cXQV6iJi/GqeBTcpkCDQRc/6jxARAA6399os7LWW0t8VwhEmjSj+1L14Ryh81Q -PEM15P1DrUXagxeLu7FGmecm7r3/0CA3m6szhpIv9qZ8ifk1KZPYkKQUeFxJvfrt -RfcfDew1Ynp4ansl4+jARv06GdOwkG7EiyVktSPyf0hGqLayeQhmqDl2cxPJuPO8 -JOSDISgk33rU94/QBWA2RRLSJtB3MZupY9Z6RvYMswyRbcYKWQlqZ09iZ4IDqeeO -pl/YuIWECl/99bpEEoqFD9tNlpaY+mDy2ihT6RWe+4uefbSWfFEjxpGd+x1ccCKK -qViYggEl0bw+S60RaS+5xEOG9wnuRrVRnVe9EbTYw2+xMdDsBaFl0qvLPY/66Bfe -D+iZpA/dN2BrsOLLWk7CJ9yCgoHxL185GMLbQNy687bCeVUGDIBF56OKzGBA7bJi -W6Z+XVkVX16li908TBnLy6DItYIqYFmSgGCAYviAmsq1v/dVOddpdAzDW4RfH5Fr -BNopYM92FswF8NtDN+VstwWAUQA2IDX3fYwPimIV+xG8ebgVALy7nWkAdsFGPoZk -UJa+x5Ln8WUOF37kMbNthd/uBelyeDZ2MU6/Eb+z54GOWijnw2l7bnlTysatJ88l -0dezmN0OQ8Yn3SaDjMKNVs+kifqVlAhSip3/eIA4/3P3Bp/RWtakzN9nV/fUVWgc -6hu6FzM6ozcAEQEAAbQlRGVyaWNrIFJldGhhbnMgPGdwZ0BkZXJpY2tyZXRoYW5z -Lm5sPokCVAQTAQoAPhYhBFpSiAeB91Vgi/gV/JEN60b1PqMSBQJc/6l5AhsDBQkS -zAMABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJEN60b1PqMSNQUP/2me0vxA -BXrqn9uUr/09Cz+HWio7W3b901alD1amIKS4W8cKs1vNe5qHEQKH5Nd/LlYKuyKu -agKWKrfLG7dguNAEVCya3zUqFiT71yh7BD8SvvUUTqgpTet4fHW8sr+rIYgvrXUV -Prb4U5DvzVfMOBBO1QBFM1ZS6J7A8EeVmmyysYc36CPoYb/CB6yMe7G1pnE9tqoo -A4hiHwfrb3t9TeSzKIbKTcuHtGgaxIosp/e3/eFZUi0zPVAQKLBA1rnUHejVb9cA -RZQSIFpLBbUaGGBJSjNualoQOWPnHCuTy9yF6++B4ToLWLB5r9nQu70cdod21tLt -p2BMpryKikpN6OIq5Kpj62uAGDu5b/lhhbQV5tp5gxabhIyfoCnLC6JMHwVsppIG -1XsDtcM4IaFl3bl5Ol0+G0vuNru21e9ydGMHR153hPl5fszWCkWQhHXw728+vIZX -4KI3uLbpJLDHWY8QGrwGpqPMcqObcepkskejpKZX2JtycoiOlntuMWfLLmL7S+Om -YnFkOy8G0TctD45wLlfWtJDzRr2p7TDYcQ3oHf0OQMHAQ4qUJXLYyxlPja4PWiMV -x5I9hLtXfJ4krKK/FJQDccFegBR8vhQVoQ0WFot/Vzo1qu488f0w0tAJDf16+w8W -FhYnIbwfndGMgfu/nkAZ/NAkD/bAul9NGKBctCVEZXJpY2sgUmV0aGFucyAoUEhQ -KSA8ZGVyaWNrQHBocC5uZXQ+iQJUBBMBCgA+FiEEWlKIB4H3VWCL+BX8kQ3rRvU+ -oxIFAlz/qWkCGwMFCRLMAwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQkQ3r -RvU+oxJxzhAAx8TGL+IaTYEzEICUk2wBTISoSMuoF5eZU4x3ZviA6yWG1OLn98uL -eCGjGCMFp1/OFGZfCe/QAVj7/eBZzPnvVj7JkUrPt4EpU0XOpVan9cVh9Yzds62H -Q19WRJOnMYO7xzZcempmUsZ5oAGivRsJ42UhvHi409T/ZpRdyOtiWXmdBXIRK9G3 -OuLBhchvFIhAbjfYbFD+gVzdGThU6xHXAfnLoFuyzYIpXzgrDYdmfkskLmTd4meK -oFVwcBnPWXxUJz1HNxPCI/dY8DUmWjqnb4qBU+JnLq16UmvEG2TdxpKivcoJH5la -IVnAEa2A3answ7WU5yF7n5b9PH9xFsPJpcUc7+rc2F3D6eY8WY+tSSzyKxuRYF7h -FeRifwSSjOMDp50kgUR2f/5gGRD8rDSKTtGq9pVDXtIPt2xEnY/SH6O8Mmusmk8/ -bS61t6HPjEZBGOO9LrYbVBcHCZAHRzWuFTIadyh+q330fXlCYHaHAZiN55TEDocj -1XxlhiLcyRGwDtMnc2IOjJUjyxAXwFwVqVOGCFtop33tj4TCKmMD+NSeLWmCmDLj -81t4r9+O2A2A8AhEMBCC7m9N6DlDdGMeOyzdDTUTp9cdbnLRc2qJNk8Q3C4/FI82 -SoJtOE0buvA9Jfz5GEU+V/ZEuMj+YYRCz6t3iFISCjxWlUTIH5Gw5A20KERlcmlj -ayBSZXRoYW5zIDxkZXJpY2tAZGVyaWNrcmV0aGFucy5ubD6JAlQEEwEKAD4WIQRa -UogHgfdVYIv4FfyRDetG9T6jEgUCXP+o8QIbAwUJEswDAAULCQgHAgYVCgkICwIE -FgIDAQIeAQIXgAAKCRCRDetG9T6jEo2yD/9PNspNKjiGq0u7CBxY4XrFXYNzGVUJ -UQxnCZk5o+K1zpU5VCV8XjXBrehwSe/17hAakl+5j+qFt/prORPHdXPyKyI+SM/O -muc+1AjOU3OPApwrpX0AsYMdDi5BtpXiJ8RGBNEsKJN+hCikpNkUXVlbluvcytCX -/je4TbnJdRFFSJCdP1YXAzrVbXCVFWgTU5g5SwPEpDxs9Qzvgg35PG/U5QiFSTCN -CokT1Hdf+S2a+h5nxSnqm2Vn80NyNBy9y4kBBCkU18NzR96cWxiccshR8qS+7Tg1 -EIBFFnheZkR2MQukfxCHliX40pGipyHE5Kf8huYgNRiHsfdYIfzYQx8lfvwRNq38 -QrMihIfcBZfl6z096J6Aj6XiA5VqcKDdD0gVw77KCkRyzBtGt6kSqStF9JYE9RjB -b375qPsvCVhW/alpScnRtJzVytDT9xeqe5F0V6/GhNvnlgBo3I2p+33gDb5TQOFw -oidV46lXlAYo0sAbXJPw9ZZrHE661HQ9T5CLtJ+cadITX3638Sc6XcsdbD+upU2V -1piQ9gUvgCNdYGjcYMXTfe4l7x+6pthE0lb7u+q/nyzTozez0xoCWygMJlETQXKn -s6EnhMi3phAuUnhso3fWAvwtOgHW9QaL+rx5npad3wGyRo9xqTmrE/El8FgALXY2 -XfggH/zQhIwNIbQxRGVyaWNrIFJldGhhbnMgKEdpdEh1YikgPGdpdGh1YkBkZXJp -Y2tyZXRoYW5zLm5sPokCVAQTAQoAPhYhBFpSiAeB91Vgi/gV/JEN60b1PqMSBQJc -/6lWAhsDBQkSzAMABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJEN60b1PqMS -jWUQALGWNAhYnuTTAIoKtwPsDab6kJV3TcBaiD5ezXXYX1WFEKMuLenYkCIzRuWO -FkZR8Rr8iJj7viCPWV5bniicsKNq4Af8YIXq8Qnam30gSkHo+jGpzZYnDdFDajYa -x7wVKMxUmPsC6RhfEk0JAFXhoqrFOrsuUw+bBC4LOvFzdufmS8klJq4krpYf1kp5 -CW6/DL38YRrmhq5djyiuA8iJPtylxcR+tXSmyGtgltCiHS4EdOOyG0hOsfkHPqIK -d5Tb7J+pMGimCp/9YV1NINbFpWIG3pF6sopMLU5YHh0Wq7SgfDVmkuPxUaEChTVz -S9y6k3DwhW7ZRpcSx9hDRwaHFw/eTuSdNH/7CpXKr0o/+zuvq+gpAHbPH1GfikoN -B87lSdfUdM95QTveQjS+6IFbQR/5pCEAraZ97EP02A2o45nn2bV/gOvZRqqPuJZQ -8rJ0ryqfxRWj/cRKrtt+k/n0dKQXJt/0g5s+IVgIHHoe5htzsXyjvxfpSL+vut8Y -ftr8lyCzGqFUZaX5zpsgwpy4FMf93ttPYiQuG/pVD4dSxc347xL03rB+0F6YIv6S -DKuA9Yy9bj2xRuJb5WmAlb67qwE7urGvgAkMXs3deVMWJ1oH5KB1t15mOU3Gund/ -q3WO21GQj7leALl4cV+oDXI+3z1idIMEWQWaoY2pT7PnUw5ruQINBFz/qPEBEACw -WHa7KtEtx2KKghel9yLwLx44LRnuKWLjGNrHqjIy6RSWBcOKVUnewtlzr8ugAAE3 -qMXtGd3vCLpEtqDJ4RghBrV9YVLArr9ba4clmSgr1iDKZE4xjR71rkwEcrQA9Iqa -faOQmTzj/MJoErYONat57CfArQs+Sd4SYJyLTZ+6HdSZVyM5tDooookToZaq/FHQ -1gKtQVuIkM7229JaVo+4xQn8N+nQCsKvbl/9ATxXoxzsf2UxDsOOW+Mi9qAmSDdD -pGIsWkFmvZnRPPnLXRkQiCcq703Zt/A5ake4JPLV3ZVvvzhvA37Qz8YE8Pud+jTL -bvZ6eKh/X3XYkUGjtbDUPfY61HTbiLKcDYmEbtD9bPa9gePhNPXVcpVKd+r9UQJA -+Oskt5zbNnOx1JCNIHKJ8s2ll62G4BcS76BnPSzCtGuDnW01xPj8Q5qEHwBcpKvW -j4sRx6DSxhieeMm3FZ2ScCarz2vNY3smDJSc2lOWYlFgQwwzqAsxqA7Lb5VmYuSR -KKEWB8XnQ2rcoAaUuCm8qU/zfa/yn97eZa9VKMMX9X7tcMAuYRD0fEmS9zjeX64h -/+tZdQnUq2Jtthz4qInNs/lSSYhCTC5H9FZ9hFe5X7LiYnTws5o6TXejtXxItaYF -/4Ltdsq/bT5gI/PNqP++iTQFjLDUUoG5S3U8/631+QARAQABiQI8BBgBCgAmFiEE -WlKIB4H3VWCL+BX8kQ3rRvU+oxIFAlz/qPECGwwFCRLMAwAACgkQkQ3rRvU+oxIW -mg/8CHGV74oqKrNf0ruUaHWfm1Lk++/CAp6uSZeMOkJST/4Nl5f2O3aPA7XVk4da -vvHA3IrS053LM7xUUb0FnarKMlKg//3f6Jtvavege6zfG3qj/s6fS/8EgoZkS3sy -wGHYzy299sgZKx7eF/pkVj/olgDQ/MpkM5scpDhY1rHjvhcR8sLM8O5DkOfyTaEi -RuphMRF9G21pu3kIPf4C/4tMN0TmNBzd+9L6n4iQooVsxzAohjlIQl6DjnGM5U7I -o3ufQqCuGOhJNdMPbuaH/ZtLxhnru1kZiHToPoGRDAW8YdjBnYIljW73RKPgMpkI -iL56DXSsb87qKBLZ3aBkjZO2NxT3GUPbCAYQ/b5JQ0Oeu2wbfYDZ8lr+rATED/9Z -6mrmPPgmVg+EmXpX3byBlfLvWuknZQgEFyZEiQUNWsPX1ML+VXUS9VkHYngZ6PDS -PREP+rN/XwsNaCKg76Dx3Vcxq+0Nj9c6qEPoiC4eQGa7iSc7ylHsYlQ9qLrwSBXm -OoGSnFkpToyEi33SA2FqZqLIvG1+z7sqiTiWbTdjZ8GShAwZDDnsbNUxue9YiYFN -UwEkJhcxkApawGhNtWkbDtTrvRRAHZ58CMDMRvpaKfGcpF+RlyRumTlEChpi+vNX -3Uyor2raD12YolIUGbjVdj3vYRkwdvoQ3cZJpZZLHyT9nDWZAg0EWxcHQgEQAJrY -yC/KKIzplzkKtuc6jCpUT2LMovFvUHp+OdCMN+K1SgveBhxsHgK10fx9Ki1Uvo2W -jhUAw1reQk/g06wiusJW0bZ2W5rKQKUPJH2JLEJcVdJAVdq2vGTdsVNkvia8O0XX -zN0tGb2juyjX1HPXUJ5jRBsiPrppeK6+NEizQmj4WYBF6wfsEalJdQ8g7nSR4p9s -HdotI+6ug6hxStcjK/wwFLRqpYwZQLDbRJVVMDAXIVLmmg8CP4VarIsF+PEv9ioC -EaT2yynFVYShmbU2XmUJSlatXaHhS3/C6IkKtOWZdU2Z2Yg0OyAUssikXYDV8bNO -dlSq+0gz+xwmglKGYwMxs1S+CtSnSwbuwmLvN2VMRWDCN4CLYRezmkNW03U2OXRx -rME6qlk82VNcLjpJnc1AVWBF/Wi4K+sG32e+uoTa7vZD4p5YmfgMRwe3sa6KCNgb -ufin5idIttHB/ZOZdyIMvxMqEBkjgCOHArLDFLMeMe364uBt7c2MLCPH6+v584Rd -rOz+Yl8AvKg3+izX6lwXE2VrC/6fkXlW7Z0+gES8YmNd++si5JOjDGqQhJ6h/r9u -ZVGLYk1LpgExgHxGhG1WXISIrGBd0kqFdkHYAIgTZ929grdv4tFpz4+rSBxTBlwd -PCKselkX3b0S5hSqAGsyFL/UT+l7h5vlLvTJe6W5ABEBAAG0IUNocmlzdG9waCBN -LiBCZWNrZXIgPGNtYkBwaHAubmV0PokCVAQTAQgAPhYhBMuvafFzoP6ktTf0cNZs -lZMRi8y2BQJbFwdCAhsDBQkHhM4ABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ -ENZslZMRi8y2o4MP/14vXeLNCNNtnhpbknRUVXrORcKZsDTyTHLx4BJvae9DsB0G -lzGI4xlkWFXRW9o1/3xG/sHpg1hQ2o5qAKPN8IAJBRm+O/cbyYxX5Jowy1l+vipt -93ZS9h+L2nEWk+hBT6hnf23u5po5JKPCEWgAqZxCnFivP5/STND9CZ5fXlTMXGYR -mehI/uGQ1k8qXMLVCG75mMxIbtXVnl0NIoq/mnT8kNWs2y17EKrbhX6tKVdOzsQI -SZ1CN0+SJeYrfCjvlVnCFQS/wG3OfmfsXIMtXR02sLffhai54jIM/DndaGrsNxay -GqScMVMnhkU8Tk1M92fwph3JaMlT7mik+fndWkQZtKAuu9j7CNmFhd19UKPbx+Fp -LIEccYyn0jh0Rngc8Js3ZhIAjaCNpSjJTIuWcNwRdks0hHSuvsK32C+YpakF1G7O -WWFSSy/p7VGXNR6R/sZgn7oC0qd954BGyaMhxmM7fezhcFYCSNG5D+jG2Ri5KtcF -Jcuw4tKXDxT1wg0pmk0tLH+ZNPw307Wdzrjqpz5TrYzLTiycxbl+uo4btKe742rl -uSXVaqx5bVpx6o1i42lGevCjq/n6oBbM78n8gTc4vPrdPjRYONviTplNipLol47h -rPG2yakoe0PqYKFLm7CzHbL64a3ZCK9K/XWth8OUJbDUGWRHnVZ5tpxQqYR2uQIN -BFsXB0IBEADDWz0jKxhy7ARP8K38vBwajJGTbwiuyiUNm/ShCWhmu/JgECQoKJa7 -gd/DpzZgjkA/7fTFGrF//AH8CK2kX/9TDnkLsjsT0Wlm66MOtMyz4HYkTjJHHFqQ -UgyoVhU2xFAp2snVgZLdV7ySoz++t3t9lSu8fUUzqdf07ufX+A4HXzgI6/2A+xzv -bvkWY/j18XE2ME13xiBXitdZGqVLLD02i/OaaQHYi1PEalfLnWtMBPu5oQd+2VTt -6bYsEOPjCOYfXXw7UTvGtOXOHE5wt0mZB28yBv8oZjsNpa36FHW90O+8KGBmrz5X -5c0MuilAnrfGdFaU1cnSFeGyEGdfsG2FzwPL9vfIVX14f92JzcppfwlOjm/vzONj -OE2/GbAOaCG9ppP37yfGmsSftLu4MpBsqSkKB/QlGncwP9tww+swe17DWMKmtm6C -0uSb3dbTb/QNdzWEEz5ZYAU4Aq8Y1Sc8QRlqSgRLmBsvffX4vQsg70r0khp3Ari/ -tcBAkWnnkkOg1xPB0/DGEhOzEIChjImtLghIkYXeVWJcfcR4fPrEcs37V8PR0WWK -s4gNEKy7nBelcB4EfPjEXEYjiAXCzzF5CaoY4uob5RXtvOp20Xv6+thPKFAhuDdP -XLxOGLYJ5/uhk7lElEhTaQ7PqxRsCcWDtf4OZEhOl1ag2G3TEXx/8QARAQABiQI8 -BBgBCAAmFiEEy69p8XOg/qS1N/Rw1myVkxGLzLYFAlsXB0ICGwwFCQeEzgAACgkQ -1myVkxGLzLZwBw/+Osh1vCAHiFUakQ2VPXzHe1wYbZPLbN+8as8O/pF/U6DzwO4Q -KUxjwbMrIFs2t0OucldFgJUjNHxQmKSdeq4x+NNhcZegobY8CIEdsWsXle4jZukq -DP+83xbH0z6AWZI3GuRvNCVg3KN4RRIFCOmBkdfmiGMXZq0tQgFWYFZ+o3R7FPt0 -eZ1Vm34TiG5zRcyZfWqWZtmow9yPYCcV0Xfb7H85H3f3M5xter9LXxbf0XXdPnlW -wZw7iuNgMjgtjUbWiidE/KRVCxEUGzARw7kV12EYESA13z1PYFY5n2evaXw0jCkD -JKtBJ/2HjkL7ruNDkKOtR/1/8D6b/yuKHZQXmLnJ3791yOtNnH064lALDeyZWorb -lSTyblBZmCsw2LKq0OyXEzPkY6KwPWI0oXOc2OSjcYTEIaXMOYACubQ1AeSol9cQ -U7zrIsCRoDN6hI6ENSVsukt8BTRuInHxFIwrmsd00RMsEdtRjfnmvvpLB4YeW7aI -CojEQ4S9Rec5HhbjbS7LcNGVBjgwh5EuA0qQWtjd8cOi3SHlKu9p7vgTaiwuhaH3 -km6Ntuy4xUSuuDA7/WHKxWOaR2JTZQ+QfUUH+JAfM/QUYK7lJAH7v4DaCraEFJND -O2qA/HKCscuFvMFXKZyf3Il33omfBV7l3UGvEWXFx8MMb8YEapUHwyy5+aOZAy4E -T2apoBEIAIVKpwaY26eSNBC7df7JedOYV4SS8zgldlM4F1HxoR680aaYUR/K+NoO -NaL2FzCngT+Vi0L4/tWxWMzU5Jf16rSML+UYvRnJFd6T6Y3LSfkfU1K5Ol/1jXws -yqFzgb5FT4tw2Jn0rQMm44680s/Fbs4dmC7FvfB0o9c1VraPJF8kAqba5okkxPWZ -OYVP1rRDxIqv6ZSusmS4bQfajpLOsq3xbCiKe3V6HrvNWwlom1AVyGcRmeVrAhyo -/bILicsZHcyS5ujDGgQFgJl63XxodVVFu+kbZC2hvwu7nGuwZuZfKZOQdN2m+R9w -kUANrwzM4v3TM7FfBsZ9shk6WHkSfyMBAJeV+fHZ5AvcFJb/pcA1rnV1taISnV3U -ECSkYq1m+WTRB/4z1YCL71pcx7fE/mSvG2CdE1R/ZY3pl3LYzEvVFEkIVvK0uGXS -uicLj0GwZhUayF0QfzGEFuIg4kq5Vn8NOX1sSbs/1zsILuInJUKSFQCGi4frHNlA -0tH5FT5B5tjNfKlV+X31CTsR0yav9YBkIcu69qfKp6kLkQGxrdWcB9B6ZI2gF4YE -pZYuI6w+O9Lvb7LXPhFQwB9cefiX+wUy3zO3v/vgCYk/Bmq5XjWniY87XZXj7E/J -zpGwHzix+yTZBWK9TzDwCS8ZB5iNejPsjBqj3n59a15XNnfopFC9RyQ/ykaMeUNe -cfEnQcjUj+Q4FlKPBHBR/R13vfLp6s+FsuT6B/410jcf0oYkHMbn+tXJYrBR5D13 -m53iNMlGRAa8A/mmDvq8Rr12iBul7hbln7QF9uIlKdCZBZIeJl12P+3fem1u6njg -KTplOB2WYVgwsXWFHjs8hlMMoRES4pgZyL++ryydm8Qk/1gLD9O2Idwx2swpxj/4 -unyVA7QYcs8H2CVWGcLR1vqXVemDUIwjz9GjMExyKPfQSABOCAL/LbNuKoAWhL0U -32dc9t7imFK2oAETJ5n6de523s9RhONWByuqjxsdkKKwGhtYLs6crJTPFXHNR64+ -Qh+Zm7OQtozDYxxB2/DCw29DQPNos/fRzVeyb/sQhglw5anOVUnlCt2YTT8FtDJT -dGFuaXNsYXYgTWFseXNoZXYgKFBIUCBrZXkpIDxzbWFseXNoZXZAZ21haWwuY29t -Poh6BBMRCAAiBQJPZqq0AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAv -eVa8XaBLXZczAP0e5EiiVLAgrvu7wRjjrXLa7qxtffqfn+6j8sNC7GiLewD/Qy+m -e/M6G/0i5+++xkSPcTuLeH6IPnrjxgzB9MUKKP60K1N0YW5pc2xhdiBNYWx5c2hl -diAoUEhQIGtleSkgPHN0YXNAcGhwLm5ldD6IegQTEQgAIgUCT2apoAIbAwYLCQgH -AwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lWvF2gS12F2wD/WpBvlFluHo+UhV4c -IUULd8y/LnrAnUoLSSeGmHJl1wYA/1tAWFYZvHKUWfvGadsnZulr7Rh/NFbBuCZ4 -hKhki1DVtDVTdGFuaXNsYXYgTWFseXNoZXYgKFBIUCBrZXkpIDxzbWFseXNoZXZA -c3VnYXJjcm0uY29tPoh6BBMRCAAiBQJPZqqdAhsDBgsJCAcDAgYVCAIJCgsEFgID -AQIeAQIXgAAKCRAveVa8XaBLXWuhAP9L9/cztiAKFozxIC3v2IA+8uJ6mVQGBiC4 -4mMdzXpADQD8CbSaMqY2rdbk/S4D+8H6WIIRwwt1xmI4iw0jjh4ePk+5Ag0ET2ap -oBAIAN9k8ymNmSQZmPcFj/sCmguribCrNuH4KktfA2fbS0U29Jd9vxF15e9URvtJ -zH5b2pimJq6faJcmAJUfx+ClmlHznq6VPWrq4Ib74Je5sS+Kn94mRmX3f/ziHTgp -AnCyA6sCHQ6bc549Gfw+v777Qs1LQQvy5f9gd5M4Y6eeZOphN7JIFUV2i/oviZ6l -11+N6SJwpCqEvuZmH/G6rb0mKNPS401fy/i8NZAO7l2UBx1364HeBxcwP8+CKcPX -XOn7rC2tYKb/7IGqm8PBdBfk8ZSfC9tF+XsDLcybCaheJ5xkyDR3BNJzt7SWEHgc -ZEdl0EwkHisdRUZ3Oq6Mr9y06+sAAwUH/RS1vvpB7qwIyUfFUCZ4T99ujs+LTlu1 -n/HTWvrt0d9oxI/SuIIonszQ5b6MBe2737P8FWdiKxbrtZZ/GXZxLm1kOCIeAkBF -dZQ47vb6xJwc/wpCZOXXPXqDIpvBjdKbIGTByk4vfmeFRY0vL3ezI+hjqxlROKSv -Ztli6QcNDfdcE+zh7oxtYp+xr2ppWaeU4XeTlSoKGO618doRrhDtU/jAEimmEcGL -0wjXqgkjPME9saXa6h52PCJnpB5BmdK45VhnFTZ3eVEDw+u18U3VVKWkSb9VwC+2 -J4dRhYc3TA675yndKWvlclU2NOMmGXbxKWKcwwTniYoAZ/Yt2v91HBeIYQQYEQgA -CQUCT2apoAIbDAAKCRAveVa8XaBLXboRAP9VV3cWCMsqCUKVFA/N19Tzju2oMrjM -mNuZG/m8svCgTQD7ButCzuNUZTc2tLQAiXm9SZ7CmnYErNKR6nLbedaZ6PCZAg0E -Xrb0LgEQAOX87ju0d9lqnpjc/B8j3/jB79MPAkuoE/yMzPcAfyzl7ytYcgjBclqj -U1YWR3hWdJKI0Qx59+Ss1anIJuOvTo0Saanj0YJSlDCFPUO5C7wuEqh4+EgacAiy -23LUtunKVJ9MQ7t+TtKeRijI84KK58RcM4ukHHwbCb9ww1mEUjTlcJBJ/n70iNoT -GKGCZ18IpyFvK8atSf1jt67k9hS2wS7VJNqw3Orm6xJDqGi3fMFtWg9ErxrtNkIM -YmrO+ofRsilUcpUrEDyv2Q/FNviOVE9BXzVVJ7zxOCwjMNJ4ao6Ezk0NOZU36qv0 -Bg8B3IWN6axWMwUQvfh0SAzZUGxfzuraG86Rj1z21PJwJxQATIRhERfm118EAVxw -P/xz0Nwrr044Hx0Wi8mX6qi0B5d1rf08VAUoJ/Bhr7Lfbpjbi0z4mvwZh+ydRrow -Doff+g0IAamzRVmcFVFyOdLM2iM9z10Ds6dPvi6QVvTMZfrE3l1MIpFb+YuOeU5A -QFbl0so2HaWP1TMb/0pQjhXh9WwSOfwjG1QyEibs4CxSMbJ2TwPYLNo9QQZnBdPM -PBUfa0Jkahw+NnztHjENsHbsr/ic1Zvi7HuaUTCKzm1oGeiIqIBXtH8WrQsQlAWi -JdEvu2YkKAyjxUOD9reL4a8NbGve1MeNC1T4onX5OqJ/dCsnnd19ABEBAAG0OEdh -YnJpZWwgQ2FydXNvIChSZWxlYXNlIE1hbmFnZXIpIDxjYXJ1c29nYWJyaWVsQHBo -cC5uZXQ+iQJUBBMBCAA+FiEEv93ShkKCT4EY73eQm2elwSIpEY8FAl629C4CGwMF -CQeEzgAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQm2elwSIpEY93YRAAorek -8NdIxkegDBXSrVVR0wA3FsT7tMT25cVDHpV0NnGVoRYRQW65rjW7zPAKHe/oXk6M -OuVbCg9Gr9znJa/KlQHsi0Hsv+6+w6rLpXw8aQfikfFgLIVOELY6/MoVcao2vEXv -Q0gDPo3JKVA+W7lMrY+sLUyJcww9yI1181qBJRlAp5wwyKPiqNExHKlxRklMSR6v -gJHocL7hSWcGPpSmKMqq5oZkwB73mhEktXAI6yEuAeOKEx7XarBfWeN4BCo9BHgp -nslR5pjgzWjKbHK5k+XBS0ApKi4dDuzuDcodqhIhqUhrFj04LGznYfnLa7IVuupI -NVY+HX/OBd9+a7qEH+hF7IOGFwfjv5xOCfbdzDzp3v4G6mluzTmDxByNta/T30hF -tWmKsqY5FP7ip1eN6//DvhZlQVcpbs8WEeivo8BRvbMBy6tW/hFMhWxEPrA+i9Qq -CRt0l5f29smtnJyCcZPi3AvtZI8qK+fgFgEinbz+NnOXY62JLJl/+GucSoWnx9rg -OJb2ZEDcTFuN8JCo4YxPAvACSPib4CF03nnFhAuyP/qnPcDKwFGhLUT++3FIilEA -CZ/dSGEylGQqTSYDl/gyxCpHslnZt6f2T8ZMd4fuqyrNvWT6sTARjwX3VCCwHNPn -M7ik9DWsgZM3gIFrtBwkfd9zeL2tgxgC25WWkJS5Ag0EXrb0LgEQAN1a0LLbJ+fK -NIFqwxsjNM5X5YdyPQMkkM0mMZzLgZMz3yCSUFw/ZbfD6ZqRfpxugek39M2l8BRA -8eWo0TiFAq2HdD9yXBfqiWc1DFL0ZkVgJtSM8czE4IX1EON7BRwin0BkOChn+PE0 -JWKdvrjyo6bZ995YFyNkA3GlUxSyoAhaivPFfrSoKBUSXSiZBk9KzdrS5k76ZlhE -73Vej1S5XCz+Ssqj6X683iDqTWlkXaUJ8EAnwv+b81zPmnjfxnAWYxa/Hi+vGWxD -gDhP4El+XJSLjcEB5JWt0a1UkSKXigz7LkYib1s091mIkTPsNmtsh5c2opGMoWJd -wbZvyqgM3VqrlCIkLdGiThqvhh85kKkvgg1Bicg0d00vmWlzJ4MFhkbt0pTLY7hp -+e+PF3gWey9inmqbiz52Xag8PQav7opOi1fb95Wvi/BkMZ6v5nmjxzQEe+HaF4Uj -ZG1fFwVp3Hss2V2DvT2QAzz/JV1Aj0aNFo37VAVebKqkdrxNCRQQg4p630kwEImR -wJTYY8tVNUlVQPbdVwkYJvdhXjsVXApPoxBhU20S5qevxMiI/2FhEHHgm5PmokSa -XiDgII7Gm4sUgoAreslvOmydpQeGKSOU5gZ1MQtvfBvdcQQfV1klnCTtYQMV/6lN -UXEx9LlXzaQ3/Ah0LC0XSV+8B9zz/A0FABEBAAGJAjwEGAEIACYWIQS/3dKGQoJP -gRjvd5CbZ6XBIikRjwUCXrb0LgIbDAUJB4TOAAAKCRCbZ6XBIikRj1+vD/9KA9Ev -HdPNyDk8jU/dUvPYKqLcQTKA0cBpDcv9+N0bfVFijBtw8Hpyg+23Q0XxJuwpgL7N -72HLxCJzrpfIyucc5j99+Wrh1wrbqdynkKJ9hM24lMhj2ZHaP42oN6At4unLFGh8 -0a+YkJFjTxh9jORvtjXpQjzq+j+8isQ5i71yT9WTzesJBhtrLMVQrgOND5E6AS/I -uUEjOHt3INuG2HFJp0jRtdlBT9ZLB+zoTJIIMARUqZGZTgF+rehVIsTXed7fdWid -MK9GKN9SU+cBWZ3vcb37lDph8bCmRb/aGlby5hBUy6KwrSXF/V6VsyqWiccXzt99 -Dq0BfuSE+VCKYjHToyw4j9gnlrZdH2NMwyUgicKbc8GLbxGS6tzYrSy2MD+BILQD -+cnpGgAyD2kbcEm6ghGWLTTi11cotcr0uXCLiPZwWG28ychx9HxXvvNUNArvDSmP -26uZqo/WZFYukaaFLltQocI5PEAkx2K4N+xb0y5Ht/8M+XNO/t/pAR+yHWNUpZUg -bZ0dujm5hPdVA9U51cyHMCucOl0sN0+oO26re7e0ZTnImjF6HBzgN5LhDmccoT4r -pOFJqrW77hOMhvIUkg5n4Sd63wbB88BKsPXF6mRUEPcHuvwLr5jAE8QSW6sLhphA -bh57GXdFtudEaKvQbGW9yalYwuj7Yip5XJGttg== -=XZOV +mQINBFklYukBEAC9tCSjnoNs3ucOA9RPfKcuK87JD9jdet2UUsw4DHd/Hwmrt3T7 +WKoH1GwRp+ue5+vzXqdFRZ4gG+7tgvUsOtNb5rh22bTBsUIeGsvm/omJntXCFQhY +cfjtk04p3qtgJ5PGjZahCRYg4aQ2tGp2Mb8auFuFPsHtOHLWQCL7vQShsN9mEkEz +AQZnn9QYL+IvTQVSKsRy8XcHYZVk2uT2xQY2LvkAucWF0TrjU2LJ2IFdepc0+jz1 +xasBR0afT9YccHpQH5w8yOW+9o/n7BiMHfgT0sBMdKCfKVoQrQe0CsFnqc/+V4Ns +nHkyUrbfKiIFm+NOupIMpL6/A+Iky5YpjIIUHPuVL6VAY6wm463WI8FPk+NtGekm +9jqISxirkYWsIEoZtCrycC8N0iUbGq8eLYdC9ewU5dagCdLGwnDvYjOvzH156LTi +E/Svrq2q0kBDAa7CTGRlT+2sgD89ol73QtAVUJst99lVHMmIL1cV4HUpvOlTJHRd +sN6VhlPrw6ue+2vmYsF86bYni6vMH6KJnmiWa1wijYO0wiSphtTXAa0HE/HTV+hS +b9bCRbyipwdqkEeaj8sKcx9+XyNxVOlUfo8pQZnLRTd61Fvj+sSTSEbo95a5gi0W +DnyNtiafKEvLxal7VyatbAcCEcLDYAVHffNLg4fm4H35HN0YQpUt+SuVwQARAQAB +tBpSZW1pIENvbGxldCA8cmVtaUBwaHAubmV0PokCPgQTAQIAKAUCWSVi6QIbAwUJ +DShogAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ3J/40+5a8n9OJQ/9HtuZ +4BMPMDFGVPUZ9DP0d74DF/QcT0V101TrdIZ92R4up56Dv40djjQZc2W9BmpPVFr/ +v6qdjapdPH5vvmatnQDz/nIOfo1iwPWGzvmKnbDBQ4qJX7Jd6PdD/YorcD+0tOQN +KLIGE9ZFQnS80iz9iaTGzvQKEQKEMugQSf3kG3NBEGqKQBsTTrBQOUJ3g8w6id2/ +qJtrDRbL9TuCU77Dpx9HUAnjj/Ixlvd4RQDa/BCYzGYJlCyTsaVW3qc7DIh/pRad +qtswghSETtl6SSo9yHtoYOGTxXO6UikLEE8miOlaOPQrC9hCD+LSGc5QhNLBEKes +0l79w9kw9qZ9Xfh4pw/hf1N4O3kPHyUg0q9QaX1XKtigjTUcpdf2Kq8LtlB60p40 +eZE2dV3T11X+rcn33pFSXMeTJeaNKHXoeGcva/gyZVtvi8iJhqtw9QOUkxRDvGB+ +FEUId3Z1yAu7ZAz6qiUCgxK/VJ6/kBb+YYR8K4FHLmNOd5KoiTerKQu423uuMYlY +fBHpVZ9YuEJQnTEpizFEeOgaixx5RDLnoPsd/x59VS9eaaKotTPbW/rEp7SvbKj0 +dR5WMfGyd/OJrcWVZy8/Kh5Mc/4KOHD+JGAp0bE113TkEEoTZ8gNHFdLdv52V9eX +UkeT5IxyThZBkUy6palDM8A5vaf6Eet8xOLy9XG5Ag0EWSVi6QEQAKujAODvsdbt +5n1dO29Nj5htbmt6M2A7eOjt7yUj4UMtBaGOA08O0DVA8MJkvepMq9AJBXHZMi9D +ycw3rxBHQDqHJJMwghu3RoQw1y5Wym7LiLhoWSU/wK0BrKOULBwh+kS6udKA4oWr +V/gr0JGmfdL8dZjBF10kHCfCcjcjWtmIp2GRaoOKTlHCviNmRxzyqba7zE0Zc2ma +Q/4w98BI83GqD1bT8gF/5qwSI1hecBwt9oS7EbZ1ZiE8SSE8Gr6OR3p5UNHbzqxU +Wy8W4r3qulCLc6g1LPXP1V59cMxX9jQJ7lSdv0k8C6Lb6t9Wm8G63hNYgRCAmNW5 +EnqieTrx45K9vqoqfQK6Apfy0UoOquiuK7QClT3wBd7kmyKsCfV0bwRA/fV/sC1R +niu8PV7CRk9ryudUXycKq33pSkrOfZjFIQhCqdJkVc2MPbAuj2pOMutKwGKRq/Mt +3O8nEfGqWaJPa36C6dhlPqjEGTIEk5P493DzM7fj5VVIWyUrI8Vm9FslSvzILcON +HMtKtRs2cRYA085NKDXGN7i5Am7L7ZONfqVs3V493ICwmALzeSULNLiMtX+ESQfd +WCS3Hosnjbc6INDg9BRhFt5MEWJ/qchM3g4NQuukqtOYsiEUw8bCzepwJxXplvNY +u0yQDxvP+0RzjMozruVz3VoHeyf6rSWvABEBAAGJAiUEGAECAA8FAlklYukCGwwF +CQ0oaIAACgkQ3J/40+5a8n/8gg//a75gXQ4csiDUTsUndb94EXqraffmMcT5oCzf +cP+Mecbuv3G8oQZeLRchsW2i4QecnvPwrXAJcF8kJuN/KZLyeh21PWBy55wo/2nb +wOvQockXpK5yVeuc3DmdTaxDnW9u3QpSwbvkEyoCpeHH6rZ1wjqn8Qi1k7njC4qg +XpRrLQdRsS5ULXpf3IM+vaxbQ5avVnNRu5zMA6M/0reL0RSjgMfnk+3AwLCtuMiy +1aStCe8V7Y60/oauk+IZA1VJlSz2n3675YD7TkTZKkYIYZHTBw3ZPVJo08jdRUXt +GJjpOyyWVjP7GMKvZuQVWqcFyc8QHHaIPDLkdi7B9YFPWqfwJPBfUXcdzjAXI7N4 +XsSEeMm8S8SC4FKCidioP/A+bamKcONHUuZ+AztvLh24ZTkqzA/sRRYpbMGUQzpc +DbastuXG66s3e9pJa0R14011A4bofy6Ureh9q6TQNOkNegUUdjbGSd1bfNIdQXRH +0+LBV1oaY//v+aBjswy4hJ5oXmQj5jQKFitRCP9jzueyDdMJZ0j0Hhh4ItCzFV5z +IKtWiy7pRp1DXq9LjoyWeeLfKu+HrEGjMwyTGJiMjcL7oCHeiV/a+fY92wpUrY1/ +mRVLqKqDIA6/iEL2DVf21U7rXY26xxvf4QFImZaYLwKQYLe8TOOjDA/I9bR1JJmh +54yw10CZAg0EXP+o8QEQAOt/faLOy1ltLfFcIRJo0o/tS9eEcofNUDxDNeT9Q61F +2oMXi7uxRpnnJu69/9AgN5urM4aSL/amfIn5NSmT2JCkFHhcSb367UX3Hw3sNWJ6 +eGp7JePowEb9OhnTsJBuxIslZLUj8n9IRqi2snkIZqg5dnMTybjzvCTkgyEoJN96 +1PeP0AVgNkUS0ibQdzGbqWPWekb2DLMMkW3GClkJamdPYmeCA6nnjqZf2LiFhApf +/fW6RBKKhQ/bTZaWmPpg8tooU+kVnvuLnn20lnxRI8aRnfsdXHAiiqlYmIIBJdG8 +PkutEWkvucRDhvcJ7ka1UZ1XvRG02MNvsTHQ7AWhZdKryz2P+ugX3g/omaQP3Tdg +a7Diy1pOwifcgoKB8S9fORjC20DcuvO2wnlVBgyAReejisxgQO2yYlumfl1ZFV9e +pYvdPEwZy8ugyLWCKmBZkoBggGL4gJrKtb/3VTnXaXQMw1uEXx+RawTaKWDPdhbM +BfDbQzflbLcFgFEANiA1932MD4piFfsRvHm4FQC8u51pAHbBRj6GZFCWvseS5/Fl +Dhd+5DGzbYXf7gXpcng2djFOvxG/s+eBjloo58Npe255U8rGrSfPJdHXs5jdDkPG +J90mg4zCjVbPpIn6lZQIUoqd/3iAOP9z9waf0VrWpMzfZ1f31FVoHOobuhczOqM3 +ABEBAAG0JURlcmljayBSZXRoYW5zIDxncGdAZGVyaWNrcmV0aGFucy5ubD6JAlQE +EwEKAD4WIQRaUogHgfdVYIv4FfyRDetG9T6jEgUCXP+peQIbAwUJEswDAAULCQgH +AgYVCgkICwIEFgIDAQIeAQIXgAAKCRCRDetG9T6jEjUFD/9pntL8QAV66p/blK/9 +PQs/h1oqO1t2/dNWpQ9WpiCkuFvHCrNbzXuahxECh+TXfy5WCrsirmoCliq3yxu3 +YLjQBFQsmt81KhYk+9coewQ/Er71FE6oKU3reHx1vLK/qyGIL611FT62+FOQ781X +zDgQTtUARTNWUuiewPBHlZpssrGHN+gj6GG/wgesjHuxtaZxPbaqKAOIYh8H6297 +fU3ksyiGyk3Lh7RoGsSKLKf3t/3hWVItMz1QECiwQNa51B3o1W/XAEWUEiBaSwW1 +GhhgSUozbmpaEDlj5xwrk8vchevvgeE6C1iwea/Z0Lu9HHaHdtbS7adgTKa8iopK +TejiKuSqY+trgBg7uW/5YYW0FebaeYMWm4SMn6ApywuiTB8FbKaSBtV7A7XDOCGh +Zd25eTpdPhtL7ja7ttXvcnRjB0ded4T5eX7M1gpFkIR18O9vPryGV+CiN7i26SSw +x1mPEBq8BqajzHKjm3HqZLJHo6SmV9ibcnKIjpZ7bjFnyy5i+0vjpmJxZDsvBtE3 +LQ+OcC5X1rSQ80a9qe0w2HEN6B39DkDBwEOKlCVy2MsZT42uD1ojFceSPYS7V3ye +JKyivxSUA3HBXoAUfL4UFaENFhaLf1c6NaruPPH9MNLQCQ39evsPFhYWJyG8H53R +jIH7v55AGfzQJA/2wLpfTRigXLQlRGVyaWNrIFJldGhhbnMgKFBIUCkgPGRlcmlj +a0BwaHAubmV0PokCVAQTAQoAPhYhBFpSiAeB91Vgi/gV/JEN60b1PqMSBQJc/6lp +AhsDBQkSzAMABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJEN60b1PqMScc4Q +AMfExi/iGk2BMxCAlJNsAUyEqEjLqBeXmVOMd2b4gOslhtTi5/fLi3ghoxgjBadf +zhRmXwnv0AFY+/3gWcz571Y+yZFKz7eBKVNFzqVWp/XFYfWM3bOth0NfVkSTpzGD +u8c2XHpqZlLGeaABor0bCeNlIbx4uNPU/2aUXcjrYll5nQVyESvRtzriwYXIbxSI +QG432GxQ/oFc3Rk4VOsR1wH5y6Bbss2CKV84Kw2HZn5LJC5k3eJniqBVcHAZz1l8 +VCc9RzcTwiP3WPA1Jlo6p2+KgVPiZy6telJrxBtk3caSor3KCR+ZWiFZwBGtgN2p +7MO1lOche5+W/Tx/cRbDyaXFHO/q3Nhdw+nmPFmPrUks8isbkWBe4RXkYn8Ekozj +A6edJIFEdn/+YBkQ/Kw0ik7RqvaVQ17SD7dsRJ2P0h+jvDJrrJpPP20utbehz4xG +QRjjvS62G1QXBwmQB0c1rhUyGncofqt99H15QmB2hwGYjeeUxA6HI9V8ZYYi3MkR +sA7TJ3NiDoyVI8sQF8BcFalThghbaKd97Y+EwipjA/jUni1pgpgy4/NbeK/fjtgN +gPAIRDAQgu5vTeg5Q3RjHjss3Q01E6fXHW5y0XNqiTZPENwuPxSPNkqCbThNG7rw +PSX8+RhFPlf2RLjI/mGEQs+rd4hSEgo8VpVEyB+RsOQNtChEZXJpY2sgUmV0aGFu +cyA8ZGVyaWNrQGRlcmlja3JldGhhbnMubmw+iQJUBBMBCgA+FiEEWlKIB4H3VWCL ++BX8kQ3rRvU+oxIFAlz/qPECGwMFCRLMAwAFCwkIBwIGFQoJCAsCBBYCAwECHgEC +F4AACgkQkQ3rRvU+oxKNsg//TzbKTSo4hqtLuwgcWOF6xV2DcxlVCVEMZwmZOaPi +tc6VOVQlfF41wa3ocEnv9e4QGpJfuY/qhbf6azkTx3Vz8isiPkjPzprnPtQIzlNz +jwKcK6V9ALGDHQ4uQbaV4ifERgTRLCiTfoQopKTZFF1ZW5br3MrQl/43uE25yXUR +RUiQnT9WFwM61W1wlRVoE1OYOUsDxKQ8bPUM74IN+Txv1OUIhUkwjQqJE9R3X/kt +mvoeZ8Up6ptlZ/NDcjQcvcuJAQQpFNfDc0fenFsYnHLIUfKkvu04NRCARRZ4XmZE +djELpH8Qh5Yl+NKRoqchxOSn/IbmIDUYh7H3WCH82EMfJX78ETat/EKzIoSH3AWX +5es9PeiegI+l4gOVanCg3Q9IFcO+ygpEcswbRrepEqkrRfSWBPUYwW9++aj7LwlY +Vv2paUnJ0bSc1crQ0/cXqnuRdFevxoTb55YAaNyNqft94A2+U0DhcKInVeOpV5QG +KNLAG1yT8PWWaxxOutR0PU+Qi7SfnGnSE19+t/EnOl3LHWw/rqVNldaYkPYFL4Aj +XWBo3GDF033uJe8fuqbYRNJW+7vqv58s06M3s9MaAlsoDCZRE0Fyp7OhJ4TIt6YQ +LlJ4bKN31gL8LToB1vUGi/q8eZ6Wnd8BskaPcak5qxPxJfBYAC12Nl34IB/80ISM +DSG0MURlcmljayBSZXRoYW5zIChHaXRIdWIpIDxnaXRodWJAZGVyaWNrcmV0aGFu +cy5ubD6JAlQEEwEKAD4WIQRaUogHgfdVYIv4FfyRDetG9T6jEgUCXP+pVgIbAwUJ +EswDAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCRDetG9T6jEo1lEACxljQI +WJ7k0wCKCrcD7A2m+pCVd03AWog+Xs112F9VhRCjLi3p2JAiM0bljhZGUfEa/IiY ++74gj1leW54onLCjauAH/GCF6vEJ2pt9IEpB6Poxqc2WJw3RQ2o2Gse8FSjMVJj7 +AukYXxJNCQBV4aKqxTq7LlMPmwQuCzrxc3bn5kvJJSauJK6WH9ZKeQluvwy9/GEa +5oauXY8orgPIiT7cpcXEfrV0pshrYJbQoh0uBHTjshtITrH5Bz6iCneU2+yfqTBo +pgqf/WFdTSDWxaViBt6RerKKTC1OWB4dFqu0oHw1ZpLj8VGhAoU1c0vcupNw8IVu +2UaXEsfYQ0cGhxcP3k7knTR/+wqVyq9KP/s7r6voKQB2zx9Rn4pKDQfO5UnX1HTP +eUE73kI0vuiBW0Ef+aQhAK2mfexD9NgNqOOZ59m1f4Dr2Uaqj7iWUPKydK8qn8UV +o/3ESq7bfpP59HSkFybf9IObPiFYCBx6HuYbc7F8o78X6Ui/r7rfGH7a/Jcgsxqh +VGWl+c6bIMKcuBTH/d7bT2IkLhv6VQ+HUsXN+O8S9N6wftBemCL+kgyrgPWMvW49 +sUbiW+VpgJW+u6sBO7qxr4AJDF7N3XlTFidaB+SgdbdeZjlNxrp3f6t1jttRkI+5 +XgC5eHFfqA1yPt89YnSDBFkFmqGNqU+z51MOa7kCDQRc/6jxARAAsFh2uyrRLcdi +ioIXpfci8C8eOC0Z7ili4xjax6oyMukUlgXDilVJ3sLZc6/LoAABN6jF7Rnd7wi6 +RLagyeEYIQa1fWFSwK6/W2uHJZkoK9YgymROMY0e9a5MBHK0APSKmn2jkJk84/zC +aBK2DjWreewnwK0LPkneEmCci02fuh3UmVcjObQ6KKKJE6GWqvxR0NYCrUFbiJDO +9tvSWlaPuMUJ/Dfp0ArCr25f/QE8V6Mc7H9lMQ7DjlvjIvagJkg3Q6RiLFpBZr2Z +0Tz5y10ZEIgnKu9N2bfwOWpHuCTy1d2Vb784bwN+0M/GBPD7nfo0y272eniof191 +2JFBo7Ww1D32OtR024iynA2JhG7Q/Wz2vYHj4TT11XKVSnfq/VECQPjrJLec2zZz +sdSQjSByifLNpZethuAXEu+gZz0swrRrg51tNcT4/EOahB8AXKSr1o+LEceg0sYY +nnjJtxWdknAmq89rzWN7JgyUnNpTlmJRYEMMM6gLMagOy2+VZmLkkSihFgfF50Nq +3KAGlLgpvKlP832v8p/e3mWvVSjDF/V+7XDALmEQ9HxJkvc43l+uIf/rWXUJ1Kti +bbYc+KiJzbP5UkmIQkwuR/RWfYRXuV+y4mJ08LOaOk13o7V8SLWmBf+C7XbKv20+ +YCPzzaj/vok0BYyw1FKBuUt1PP+t9fkAEQEAAYkCPAQYAQoAJhYhBFpSiAeB91Vg +i/gV/JEN60b1PqMSBQJc/6jxAhsMBQkSzAMAAAoJEJEN60b1PqMSFpoP/Ahxle+K +KiqzX9K7lGh1n5tS5PvvwgKerkmXjDpCUk/+DZeX9jt2jwO11ZOHWr7xwNyK0tOd +yzO8VFG9BZ2qyjJSoP/93+ibb2r3oHus3xt6o/7On0v/BIKGZEt7MsBh2M8tvfbI +GSse3hf6ZFY/6JYA0PzKZDObHKQ4WNax474XEfLCzPDuQ5Dn8k2hIkbqYTERfRtt +abt5CD3+Av+LTDdE5jQc3fvS+p+IkKKFbMcwKIY5SEJeg45xjOVOyKN7n0Kgrhjo +STXTD27mh/2bS8YZ67tZGYh06D6BkQwFvGHYwZ2CJY1u90Sj4DKZCIi+eg10rG/O +6igS2d2gZI2TtjcU9xlD2wgGEP2+SUNDnrtsG32A2fJa/qwExA//Wepq5jz4JlYP +hJl6V928gZXy71rpJ2UIBBcmRIkFDVrD19TC/lV1EvVZB2J4Gejw0j0RD/qzf18L +DWgioO+g8d1XMavtDY/XOqhD6IguHkBmu4knO8pR7GJUPai68EgV5jqBkpxZKU6M +hIt90gNhamaiyLxtfs+7Kok4lm03Y2fBkoQMGQw57GzVMbnvWImBTVMBJCYXMZAK +WsBoTbVpGw7U670UQB2efAjAzEb6WinxnKRfkZckbpk5RAoaYvrzV91MqK9q2g9d +mKJSFBm41XY972EZMHb6EN3GSaWWSx8k/Zw1mQINBFsXB0IBEACa2MgvyiiM6Zc5 +CrbnOowqVE9izKLxb1B6fjnQjDfitUoL3gYcbB4CtdH8fSotVL6Nlo4VAMNa3kJP +4NOsIrrCVtG2dluaykClDyR9iSxCXFXSQFXatrxk3bFTZL4mvDtF18zdLRm9o7so +19Rz11CeY0QbIj66aXiuvjRIs0Jo+FmAResH7BGpSXUPIO50keKfbB3aLSPuroOo +cUrXIyv8MBS0aqWMGUCw20SVVTAwFyFS5poPAj+FWqyLBfjxL/YqAhGk9sspxVWE +oZm1Nl5lCUpWrV2h4Ut/wuiJCrTlmXVNmdmINDsgFLLIpF2A1fGzTnZUqvtIM/sc +JoJShmMDMbNUvgrUp0sG7sJi7zdlTEVgwjeAi2EXs5pDVtN1Njl0cazBOqpZPNlT +XC46SZ3NQFVgRf1ouCvrBt9nvrqE2u72Q+KeWJn4DEcHt7GuigjYG7n4p+YnSLbR +wf2TmXciDL8TKhAZI4AjhwKywxSzHjHt+uLgbe3NjCwjx+vr+fOEXazs/mJfALyo +N/os1+pcFxNlawv+n5F5Vu2dPoBEvGJjXfvrIuSTowxqkISeof6/bmVRi2JNS6YB +MYB8RoRtVlyEiKxgXdJKhXZB2ACIE2fdvYK3b+LRac+Pq0gcUwZcHTwirHpZF929 +EuYUqgBrMhS/1E/pe4eb5S70yXuluQARAQABtCFDaHJpc3RvcGggTS4gQmVja2Vy +IDxjbWJAcGhwLm5ldD6JAlQEEwEIAD4WIQTLr2nxc6D+pLU39HDWbJWTEYvMtgUC +WxcHQgIbAwUJB4TOAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDWbJWTEYvM +tqODD/9eL13izQjTbZ4aW5J0VFV6zkXCmbA08kxy8eASb2nvQ7AdBpcxiOMZZFhV +0VvaNf98Rv7B6YNYUNqOagCjzfCACQUZvjv3G8mMV+SaMMtZfr4qbfd2UvYfi9px +FpPoQU+oZ39t7uaaOSSjwhFoAKmcQpxYrz+f0kzQ/QmeX15UzFxmEZnoSP7hkNZP +KlzC1Qhu+ZjMSG7V1Z5dDSKKv5p0/JDVrNstexCq24V+rSlXTs7ECEmdQjdPkiXm +K3wo75VZwhUEv8Btzn5n7FyDLV0dNrC334WoueIyDPw53Whq7DcWshqknDFTJ4ZF +PE5NTPdn8KYdyWjJU+5opPn53VpEGbSgLrvY+wjZhYXdfVCj28fhaSyBHHGMp9I4 +dEZ4HPCbN2YSAI2gjaUoyUyLlnDcEXZLNIR0rr7Ct9gvmKWpBdRuzllhUksv6e1R +lzUekf7GYJ+6AtKnfeeARsmjIcZjO33s4XBWAkjRuQ/oxtkYuSrXBSXLsOLSlw8U +9cINKZpNLSx/mTT8N9O1nc646qc+U62My04snMW5frqOG7Snu+Nq5bkl1WqseW1a +ceqNYuNpRnrwo6v5+qAWzO/J/IE3OLz63T40WDjb4k6ZTYqS6JeO4azxtsmpKHtD +6mChS5uwsx2y+uGt2QivSv11rYfDlCWw1BlkR51WebacUKmEdrkCDQRbFwdCARAA +w1s9IysYcuwET/Ct/LwcGoyRk28IrsolDZv0oQloZrvyYBAkKCiWu4Hfw6c2YI5A +P+30xRqxf/wB/AitpF//Uw55C7I7E9FpZuujDrTMs+B2JE4yRxxakFIMqFYVNsRQ +KdrJ1YGS3Ve8kqM/vrd7fZUrvH1FM6nX9O7n1/gOB184COv9gPsc7275FmP49fFx +NjBNd8YgV4rXWRqlSyw9NovzmmkB2ItTxGpXy51rTAT7uaEHftlU7em2LBDj4wjm +H118O1E7xrTlzhxOcLdJmQdvMgb/KGY7DaWt+hR1vdDvvChgZq8+V+XNDLopQJ63 +xnRWlNXJ0hXhshBnX7Bthc8Dy/b3yFV9eH/dic3KaX8JTo5v78zjYzhNvxmwDmgh +vaaT9+8nxprEn7S7uDKQbKkpCgf0JRp3MD/bcMPrMHtew1jCprZugtLkm93W02/0 +DXc1hBM+WWAFOAKvGNUnPEEZakoES5gbL331+L0LIO9K9JIadwK4v7XAQJFp55JD +oNcTwdPwxhITsxCAoYyJrS4ISJGF3lViXH3EeHz6xHLN+1fD0dFlirOIDRCsu5wX +pXAeBHz4xFxGI4gFws8xeQmqGOLqG+UV7bzqdtF7+vrYTyhQIbg3T1y8Thi2Cef7 +oZO5RJRIU2kOz6sUbAnFg7X+DmRITpdWoNht0xF8f/EAEQEAAYkCPAQYAQgAJhYh +BMuvafFzoP6ktTf0cNZslZMRi8y2BQJbFwdCAhsMBQkHhM4AAAoJENZslZMRi8y2 +cAcP/jrIdbwgB4hVGpENlT18x3tcGG2Ty2zfvGrPDv6Rf1Og88DuEClMY8GzKyBb +NrdDrnJXRYCVIzR8UJiknXquMfjTYXGXoKG2PAiBHbFrF5XuI2bpKgz/vN8Wx9M+ +gFmSNxrkbzQlYNyjeEUSBQjpgZHX5ohjF2atLUIBVmBWfqN0exT7dHmdVZt+E4hu +c0XMmX1qlmbZqMPcj2AnFdF32+x/OR939zOcbXq/S18W39F13T55VsGcO4rjYDI4 +LY1G1oonRPykVQsRFBswEcO5FddhGBEgNd89T2BWOZ9nr2l8NIwpAySrQSf9h45C ++67jQ5CjrUf9f/A+m/8rih2UF5i5yd+/dcjrTZx9OuJQCw3smVqK25Uk8m5QWZgr +MNiyqtDslxMz5GOisD1iNKFznNjko3GExCGlzDmAArm0NQHkqJfXEFO86yLAkaAz +eoSOhDUlbLpLfAU0biJx8RSMK5rHdNETLBHbUY355r76SweGHlu2iAqIxEOEvUXn +OR4W420uy3DRlQY4MIeRLgNKkFrY3fHDot0h5Srvae74E2osLoWh95JujbbsuMVE +rrgwO/1hysVjmkdiU2UPkH1FB/iQHzP0FGCu5SQB+7+A2gq2hBSTQztqgPxygrHL +hbzBVymcn9yJd96JnwVe5d1BrxFlxcfDDG/GBGqVB8MsufmjmQMuBE9mqaARCACF +SqcGmNunkjQQu3X+yXnTmFeEkvM4JXZTOBdR8aEevNGmmFEfyvjaDjWi9hcwp4E/ +lYtC+P7VsVjM1OSX9eq0jC/lGL0ZyRXek+mNy0n5H1NSuTpf9Y18LMqhc4G+RU+L +cNiZ9K0DJuOOvNLPxW7OHZguxb3wdKPXNVa2jyRfJAKm2uaJJMT1mTmFT9a0Q8SK +r+mUrrJkuG0H2o6SzrKt8Wwoint1eh67zVsJaJtQFchnEZnlawIcqP2yC4nLGR3M +kubowxoEBYCZet18aHVVRbvpG2Qtob8Lu5xrsGbmXymTkHTdpvkfcJFADa8MzOL9 +0zOxXwbGfbIZOlh5En8jAQCXlfnx2eQL3BSW/6XANa51dbWiEp1d1BAkpGKtZvlk +0Qf+M9WAi+9aXMe3xP5krxtgnRNUf2WN6Zdy2MxL1RRJCFbytLhl0ronC49BsGYV +GshdEH8xhBbiIOJKuVZ/DTl9bEm7P9c7CC7iJyVCkhUAhouH6xzZQNLR+RU+QebY +zXypVfl99Qk7EdMmr/WAZCHLuvanyqepC5EBsa3VnAfQemSNoBeGBKWWLiOsPjvS +72+y1z4RUMAfXHn4l/sFMt8zt7/74AmJPwZquV41p4mPO12V4+xPyc6RsB84sfsk +2QVivU8w8AkvGQeYjXoz7Iwao95+fWteVzZ36KRQvUckP8pGjHlDXnHxJ0HI1I/k +OBZSjwRwUf0dd73y6erPhbLk+gf+NdI3H9KGJBzG5/rVyWKwUeQ9d5ud4jTJRkQG +vAP5pg76vEa9dogbpe4W5Z+0BfbiJSnQmQWSHiZddj/t33ptbup44Ck6ZTgdlmFY +MLF1hR47PIZTDKEREuKYGci/vq8snZvEJP9YCw/TtiHcMdrMKcY/+Lp8lQO0GHLP +B9glVhnC0db6l1Xpg1CMI8/RozBMcij30EgATggC/y2zbiqAFoS9FN9nXPbe4phS +tqABEyeZ+nXudt7PUYTjVgcrqo8bHZCisBobWC7OnKyUzxVxzUeuPkIfmZuzkLaM +w2McQdvwwsNvQ0DzaLP30c1Xsm/7EIYJcOWpzlVJ5QrdmE0/BbQyU3RhbmlzbGF2 +IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2QGdtYWlsLmNvbT6IegQTEQgA +IgUCT2aqtAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lWvF2gS12X +MwD9HuRIolSwIK77u8EY461y2u6sbX36n5/uo/LDQuxoi3sA/0MvpnvzOhv9Iufv +vsZEj3E7i3h+iD5648YMwfTFCij+tCtTdGFuaXNsYXYgTWFseXNoZXYgKFBIUCBr +ZXkpIDxzdGFzQHBocC5uZXQ+iHoEExEIACIFAk9mqaACGwMGCwkIBwMCBhUIAgkK +CwQWAgMBAh4BAheAAAoJEC95VrxdoEtdhdsA/1qQb5RZbh6PlIVeHCFFC3fMvy56 +wJ1KC0knhphyZdcGAP9bQFhWGbxylFn7xmnbJ2bpa+0YfzRWwbgmeISoZItQ1bQ1 +U3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2QHN1Z2FyY3Jt +LmNvbT6IegQTEQgAIgUCT2aqnQIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA +CgkQL3lWvF2gS11roQD/S/f3M7YgChaM8SAt79iAPvLieplUBgYguOJjHc16QA0A +/Am0mjKmNq3W5P0uA/vB+liCEcMLdcZiOIsNI44eHj5PuQINBE9mqaAQCADfZPMp +jZkkGZj3BY/7ApoLq4mwqzbh+CpLXwNn20tFNvSXfb8RdeXvVEb7Scx+W9qYpiau +n2iXJgCVH8fgpZpR856ulT1q6uCG++CXubEvip/eJkZl93/84h04KQJwsgOrAh0O +m3OePRn8Pr+++0LNS0EL8uX/YHeTOGOnnmTqYTeySBVFdov6L4mepddfjekicKQq +hL7mZh/xuq29JijT0uNNX8v4vDWQDu5dlAcdd+uB3gcXMD/PginD11zp+6wtrWCm +/+yBqpvDwXQX5PGUnwvbRfl7Ay3MmwmoXiecZMg0dwTSc7e0lhB4HGRHZdBMJB4r +HUVGdzqujK/ctOvrAAMFB/0Utb76Qe6sCMlHxVAmeE/fbo7Pi05btZ/x01r67dHf +aMSP0riCKJ7M0OW+jAXtu9+z/BVnYisW67WWfxl2cS5tZDgiHgJARXWUOO72+sSc +HP8KQmTl1z16gyKbwY3SmyBkwcpOL35nhUWNLy93syPoY6sZUTikr2bZYukHDQ33 +XBPs4e6MbWKfsa9qaVmnlOF3k5UqChjutfHaEa4Q7VP4wBIpphHBi9MI16oJIzzB +PbGl2uoedjwiZ6QeQZnSuOVYZxU2d3lRA8PrtfFN1VSlpEm/VcAvtieHUYWHN0wO +u+cp3Slr5XJVNjTjJhl28SlinMME54mKAGf2Ldr/dRwXiGEEGBEIAAkFAk9mqaAC +GwwACgkQL3lWvF2gS126EQD/VVd3FgjLKglClRQPzdfU847tqDK4zJjbmRv5vLLw +oE0A+wbrQs7jVGU3NrS0AIl5vUmewpp2BKzSkepy23nWmejwmQINBFjxRtoBEADk +S6+Q7afwYDPFnqJXuyF2ZIvXysDBrpr/xbre4jVeiC/HIELaQedOJqO1V+BgnTRk +fhor+Yq3mZ1un+6zJIiFcm5Kp7sPZjh15JF96PsA4e2Eh5eCeJzjXHj1nAKXfn5+ +CgpYEyL30r1/ACkmo9TKIiUxIDZRkZvxjY4UKeo+EoJo0ViutV8mvSTgxaz9gzPh +Z5OJR8zECT8j3T8d+tBD8wWxxmGZ0veOu/MBew1C/BDr8RqTCXDywUbyNuSsdb3a +5aLuIuLekSJVSCcFwPIje1WrX4FyC42+elOp0SXpjWzdb08NXX4DEY8zVyVXI1Sc +SpTbslffcFkY60NJhjpP7t856L9vTLRfHIM9BIdSYH/ar5mEQ0vyJbiNfkx5tIMn +EmnIYbmnjjmcPZDKZ4PyQEUEWF3DqNOOAWhk9HUMFEkANkd1vEcNNQxgD2eOJM6e +gfUv9KtuAEcRX2iDu3gIyE+55x92VVoEJDu5M+Q6PYGUIMh7nz2gS3lnlpG2vquQ +pqDS9UogsZ8L4NsukdP2ixRFnD9qaTOemqRYwIptOX6wvrtR7PmWOnnRZ5OcpK5/ +qyK9iCLY7bbHDViBoV0uLEHNPTDHjrALJrqS+dH1glYid/82OvKE3KREjRpMOW83 +nNfQcqkMi9fhH8WUkz6OD6JemvB/s/CwBS2w3+9LAQARAQABtB5TYXJhIEdvbGVt +b24gPHBvbGxpdGFAcGhwLm5ldD6JAj4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQW +AgMBAh4BAheABQJY/TOeBQkNNFUtAAoJENvbOXRw0SFy1xYP/jQeNv4WUPK3M0Hl +3EvEnOeODxePysU0khvgnw/mRtQu7BOwRdbB0HWv8Kx0HXL7XI4l2myHRZbd9PrB +lG4YFYjZqWmqQ9WGlLBxDpSJNeROpTgKjhxA2hOl1xH2Et5kbRcZzpJJ9zuD3rqk +q80S3u/UAB/QzYfJWKnQBTXi/3psZNAVTRp3/4sEn1kCfEnlNUYPih/NqdXE0frl +KeITOAmatD2cjYcJlc/ETLil8Sq1nIgiE/++KZalbcXcRSHVZSd/L+fNlMDIh6k9 +pjcE562oiyyMHKed/pAX7o1BqlKqSwxjQoNskpICVFkyMv+P7cIPyOxJa8kaGyyH +ND+8i1GzvwcPhLYeOWDwmiXBs4Ea8Z7KWxhi19zlxMrEfAcfFIomcRoxfzcnSY3F +VJYIoEySK/IBiivqeunyeDA2JG1vLSZIV5hNicUihp4hnhX4Z1gElN+C68P49SZs +eFzxvzwMq5RIUbWVwIh2+Wj51/UrULgoM4qNkgejDLYFyTxbLfXq+Tk91UXdpepB +HvE9KFVqh4MbIlyx9TAzOizqLdZlnPRwLb3rWBLsv7XbCTeYtp4jVU8Q35hnvGFy ++GsSROJv04mJW+whyz+zxOEMPiVbVA5um3ZbSj5oou87M9LiJtrUOqNfyyqddLC8 +L5LgwwlYKqP+W6Q4LMf/Whoj3FFCuQINBFjxRtoBEACk8wfJqP03Hz6PX8br3jEU +llSngdD/28K2C4RVOOr71u4FJRcEMR98SbPnCNIUt4KdedO1DJpYac1XvIaVBbLx +EcBjRMWNhBgZbxoQzPjFTWHQ/UwHZPiiwQkL55fN1ejBEacDV8B1JwqjcBbii6zI +tLUV/gxGH7Jce/f7KBM7vWlaP+xHpmd+iPK1swK5wNQzDL83b7NPyj58fqlmh54F +r+jcpuUjynaYfjtJsgwc4CScdai7FclctLMg8Y8DW7/bkqf1BQy9Dik82IWSN4wg +VM1eWSGx+PzPlshGH/C8B53U353NcRhjFp3zX31wQhsJrA7Jp+10S3HbXGrr3aVG +MMq3dqSBGp38iKJUmJ3zyVvby5Mk4+8FFmMk3gVuQE52pW4EOlSVQNQC8yzYsgaG +/4N0M8DRpbfPhT5wiD/Qcb7MUXTE96dzs/KcyPJju/aq4cJ6DgpbJmM6OZwnx5HY +wa58RgOwAVBbsxYOa6oS+Fj02eaiUETwfPHtqF9juCcM5D0mcLZRT1I4zK60qPb6 +ZDzuFguXg8hm/djjh2YlDFCNKqCZHktCISTWX5u1cyF5j+UL3fsKcAAcyiHZV9UH +8tr6v0i0P19Uje2ZHk9utJggYSSM0uyqGhmiyd8su2FqitBltvTo00Kc8sv4AcDm +Cng8SVO0og1wiJZdiHJI7QARAQABiQIfBBgBAgAJBQJY8UbaAhsMAAoJENvbOXRw +0SFydu4QALeYG2PPMEOQtMV6jOVT51U0Yo0yl94RJoQCOCCT/JkUyIDczHmtcVAB +rpitX3tFl4vacJM3uKWKbzbM7qO2+Hd0u6rxO+o8WUGRMZp5IgcbagDOHs0vorVN +2Yo0Tl8RoqW91MCvlRFA+8snmKjWfTYj8jxbhIUEtVrIU+5LDEgDP+T6PvpaVeXf +LYItieCsZgib3qPz5mM49jDH84XG5F19kx0QtVGJs7n8FrcAGcQl/iMrm7dRrRuh +9394ongIum0uld287Zlg9q12iJiir3w04Npy43G12RXq9TD9aRfbMhQ+HB5Dnvf4 +2mfCfGvalSE0rg9mh1KeaiQUXxCzCf1D6a3H50rh1IDn363Wn41/Hr0j4ntVjvEJ +xs9nUb8qod2HMOPLOFqwxck7ueGaeDN/GZ5zjPdIppYwE3LbCM1ZFLkV+QhFef4z +Xwml1/AnGGFULgGYorwGCchizhU1wbZVcoUF74MtprnAsuPdFxlw+4yCcFEeYVpM +DQg/ZfZ28T1GruGHqLJqIVpOum48Ec+fjnHAZAH9dOs/qhBuCLE+5xUoVyP2lwt0 +MaHs5SLmxRKhcV6IWRJKTlZ9YdDXbVv5LisL/qDOTjRj7vOgCPRhklyA0JjFeyTD +pSeAWXFZnab0nYBPWkxtdxxRruEeQPAYP1vl0O6ABMxRAI6o6zIImQINBF629C4B +EADl/O47tHfZap6Y3PwfI9/4we/TDwJLqBP8jMz3AH8s5e8rWHIIwXJao1NWFkd4 +VnSSiNEMeffkrNWpyCbjr06NEmmp49GCUpQwhT1DuQu8LhKoePhIGnAIstty1Lbp +ylSfTEO7fk7SnkYoyPOCiufEXDOLpBx8Gwm/cMNZhFI05XCQSf5+9IjaExihgmdf +CKchbyvGrUn9Y7eu5PYUtsEu1STasNzq5usSQ6hot3zBbVoPRK8a7TZCDGJqzvqH +0bIpVHKVKxA8r9kPxTb4jlRPQV81VSe88TgsIzDSeGqOhM5NDTmVN+qr9AYPAdyF +jemsVjMFEL34dEgM2VBsX87q2hvOkY9c9tTycCcUAEyEYREX5tdfBAFccD/8c9Dc +K69OOB8dFovJl+qotAeXda39PFQFKCfwYa+y326Y24tM+Jr8GYfsnUa6MA6H3/oN +CAGps0VZnBVRcjnSzNojPc9dA7OnT74ukFb0zGX6xN5dTCKRW/mLjnlOQEBW5dLK +Nh2lj9UzG/9KUI4V4fVsEjn8IxtUMhIm7OAsUjGydk8D2CzaPUEGZwXTzDwVH2tC +ZGocPjZ87R4xDbB27K/4nNWb4ux7mlEwis5taBnoiKiAV7R/Fq0LEJQFoiXRL7tm +JCgMo8VDg/a3i+GvDWxr3tTHjQtU+KJ1+Tqif3QrJ53dfQARAQABtDhHYWJyaWVs +IENhcnVzbyAoUmVsZWFzZSBNYW5hZ2VyKSA8Y2FydXNvZ2FicmllbEBwaHAubmV0 +PokCVAQTAQgAPhYhBL/d0oZCgk+BGO93kJtnpcEiKRGPBQJetvQuAhsDBQkHhM4A +BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJtnpcEiKRGPd2EQAKK3pPDXSMZH +oAwV0q1VUdMANxbE+7TE9uXFQx6VdDZxlaEWEUFuua41u8zwCh3v6F5OjDrlWwoP +Rq/c5yWvypUB7ItB7L/uvsOqy6V8PGkH4pHxYCyFThC2OvzKFXGqNrxF70NIAz6N +ySlQPlu5TK2PrC1MiXMMPciNdfNagSUZQKecMMij4qjRMRypcUZJTEker4CR6HC+ +4UlnBj6UpijKquaGZMAe95oRJLVwCOshLgHjihMe12qwX1njeAQqPQR4KZ7JUeaY +4M1oymxyuZPlwUtAKSouHQ7s7g3KHaoSIalIaxY9OCxs52H5y2uyFbrqSDVWPh1/ +zgXffmu6hB/oReyDhhcH47+cTgn23cw86d7+Buppbs05g8QcjbWv099IRbVpirKm +ORT+4qdXjev/w74WZUFXKW7PFhHor6PAUb2zAcurVv4RTIVsRD6wPovUKgkbdJeX +9vbJrZycgnGT4twL7WSPKivn4BYBIp28/jZzl2OtiSyZf/hrnEqFp8fa4DiW9mRA +3ExbjfCQqOGMTwLwAkj4m+AhdN55xYQLsj/6pz3AysBRoS1E/vtxSIpRAAmf3Uhh +MpRkKk0mA5f4MsQqR7JZ2ben9k/GTHeH7qsqzb1k+rEwEY8F91QgsBzT5zO4pPQ1 +rIGTN4CBa7QcJH3fc3i9rYMYAtuVlpCUuQINBF629C4BEADdWtCy2yfnyjSBasMb +IzTOV+WHcj0DJJDNJjGcy4GTM98gklBcP2W3w+makX6cboHpN/TNpfAUQPHlqNE4 +hQKth3Q/clwX6olnNQxS9GZFYCbUjPHMxOCF9RDjewUcIp9AZDgoZ/jxNCVinb64 +8qOm2ffeWBcjZANxpVMUsqAIWorzxX60qCgVEl0omQZPSs3a0uZO+mZYRO91Xo9U +uVws/krKo+l+vN4g6k1pZF2lCfBAJ8L/m/Ncz5p438ZwFmMWvx4vrxlsQ4A4T+BJ +flyUi43BAeSVrdGtVJEil4oM+y5GIm9bNPdZiJEz7DZrbIeXNqKRjKFiXcG2b8qo +DN1aq5QiJC3Rok4ar4YfOZCpL4INQYnINHdNL5lpcyeDBYZG7dKUy2O4afnvjxd4 +FnsvYp5qm4s+dl2oPD0Gr+6KTotX2/eVr4vwZDGer+Z5o8c0BHvh2heFI2RtXxcF +adx7LNldg709kAM8/yVdQI9GjRaN+1QFXmyqpHa8TQkUEIOKet9JMBCJkcCU2GPL +VTVJVUD23VcJGCb3YV47FVwKT6MQYVNtEuanr8TIiP9hYRBx4JuT5qJEml4g4CCO +xpuLFIKAK3rJbzpsnaUHhikjlOYGdTELb3wb3XEEH1dZJZwk7WEDFf+pTVFxMfS5 +V82kN/wIdCwtF0lfvAfc8/wNBQARAQABiQI8BBgBCAAmFiEEv93ShkKCT4EY73eQ +m2elwSIpEY8FAl629C4CGwwFCQeEzgAACgkQm2elwSIpEY9frw//SgPRLx3Tzcg5 +PI1P3VLz2Cqi3EEygNHAaQ3L/fjdG31RYowbcPB6coPtt0NF8SbsKYC+ze9hy8Qi +c66XyMrnHOY/fflq4dcK26ncp5CifYTNuJTIY9mR2j+NqDegLeLpyxRofNGvmJCR +Y08YfYzkb7Y16UI86vo/vIrEOYu9ck/Vk83rCQYbayzFUK4DjQ+ROgEvyLlBIzh7 +dyDbhthxSadI0bXZQU/WSwfs6EySCDAEVKmRmU4Bfq3oVSLE13ne33VonTCvRijf +UlPnAVmd73G9+5Q6YfGwpkW/2hpW8uYQVMuisK0lxf1elbMqlonHF87ffQ6tAX7k +hPlQimIx06MsOI/YJ5a2XR9jTMMlIInCm3PBi28Rkurc2K0stjA/gSC0A/nJ6RoA +Mg9pG3BJuoIRli004tdXKLXK9Llwi4j2cFhtvMnIcfR8V77zVDQK7w0pj9urmaqP +1mRWLpGmhS5bUKHCOTxAJMdiuDfsW9MuR7f/DPlzTv7f6QEfsh1jVKWVIG2dHbo5 +uYT3VQPVOdXMhzArnDpdLDdPqDtuq3u3tGU5yJoxehwc4DeS4Q5nHKE+K6ThSaq1 +u+4TjIbyFJIOZ+Enet8GwfPASrD1xepkVBD3B7r8C6+YwBPEElurC4aYQG4eexl3 +RbbnRGir0GxlvcmpWMLo+2IqeVyRrbY= +=jKsj -----END PGP PUBLIC KEY BLOCK----- diff --git a/php-mbstring.patch b/php-mbstring.patch deleted file mode 100644 index 7da512b..0000000 --- a/php-mbstring.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 2eb2f9d74f22bf35a4915ec95afc53a47ebf1af9 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Thu, 2 Jun 2022 08:05:22 +0200 -Subject: [PATCH] Fix GH-8685 mbstring requires pcre - ---- - ext/mbstring/mbstring.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c -index 48f22a682a19..4a4088aed3fb 100644 ---- a/ext/mbstring/mbstring.c -+++ b/ext/mbstring/mbstring.c -@@ -161,9 +161,18 @@ static const php_mb_nls_ident_list php_mb_default_identify_list[] = { - - /* }}} */ - -+/* {{{ mbstring_deps[] */ -+static const zend_module_dep mbstring_deps[] = { -+ ZEND_MOD_REQUIRED("pcre") -+ ZEND_MOD_END -+}; -+/* }}} */ -+ - /* {{{ zend_module_entry mbstring_module_entry */ - zend_module_entry mbstring_module_entry = { -- STANDARD_MODULE_HEADER, -+ STANDARD_MODULE_HEADER_EX, -+ NULL, -+ mbstring_deps, - "mbstring", - ext_functions, - PHP_MINIT(mbstring), diff --git a/rpminspect.yaml b/rpminspect.yaml deleted file mode 100644 index c2da769..0000000 --- a/rpminspect.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -inspections: - # tracked as #1988529 php disables LTO in RHEL 9 - lto: off - -emptyrpm: - # metapackage - expected_empty: - - php - diff --git a/sources b/sources index cf51de3..60f877b 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ SHA512 (php-7.4.33.tar.xz) = 499b63b99e5d8e8082ff89d3a91b4cb9a593ea7553b96e48863414c13d2e50275904ed29070e2232e529ee91160f505e6060a4d129cb5bf098aa5b6ea0928d3d -SHA512 (php-keyring.gpg) = 7e1cb5c63c48545aeeb52caf05271835d77edf9b4a563f2a9337c805603c1784cf8e1ca627726e8002f089c2132a5a5d61190d910c3dfe4e7234a338a9e88db1