more changes for OpenSSL 3 from PHP 8.1

This commit is contained in:
Remi Collet 2021-09-13 11:07:01 +02:00
parent 21e824d6aa
commit dbb5d5a908
2 changed files with 168 additions and 39 deletions

View File

@ -1,7 +1,7 @@
From 3d13d14f318267b27f99025b37a2061c835e0727 Mon Sep 17 00:00:00 2001 From 3d13d14f318267b27f99025b37a2061c835e0727 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net> From: Remi Collet <remi@php.net>
Date: Sun, 8 Aug 2021 17:38:30 +0200 Date: Sun, 8 Aug 2021 17:38:30 +0200
Subject: [PATCH 01/37] minimal fix for openssl 3.0 (#7002) Subject: [PATCH 01/39] minimal fix for openssl 3.0 (#7002)
(cherry picked from commit a0972deb0f441fc7991001cb51efc994b70a3b51) (cherry picked from commit a0972deb0f441fc7991001cb51efc994b70a3b51)
--- ---
@ -28,7 +28,7 @@ index 19e7a0d79e..015cd89aa6 100644
From fc0dbc36e4563a5146aa5345e8520f6601ec7030 Mon Sep 17 00:00:00 2001 From fc0dbc36e4563a5146aa5345e8520f6601ec7030 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 09:41:39 +0200 Date: Wed, 4 Aug 2021 09:41:39 +0200
Subject: [PATCH 02/37] Optimize openssl memory leak test Subject: [PATCH 02/39] Optimize openssl memory leak test
Just do one call and check whether memory usage changes. Looping Just do one call and check whether memory usage changes. Looping
this 100000 times is extremely slow with debug builds of openssl. this 100000 times is extremely slow with debug builds of openssl.
@ -76,7 +76,7 @@ index 4f3dc9e766..c9c7df2953 100644
From da4fbfb99a6dfc9dbaaa04a4bc8068a7e9bfa46c Mon Sep 17 00:00:00 2001 From da4fbfb99a6dfc9dbaaa04a4bc8068a7e9bfa46c Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 09:46:07 +0200 Date: Wed, 4 Aug 2021 09:46:07 +0200
Subject: [PATCH 03/37] Reduce security level in some OpenSSL tests Subject: [PATCH 03/39] Reduce security level in some OpenSSL tests
This allows tests using older protocols and algorithms to work This allows tests using older protocols and algorithms to work
under OpenSSL 3. under OpenSSL 3.
@ -346,7 +346,7 @@ index c1aaa04919..84a137b5f4 100644
From fe770720985c5f31a79528528be0aa8e0e56a389 Mon Sep 17 00:00:00 2001 From fe770720985c5f31a79528528be0aa8e0e56a389 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 09:57:40 +0200 Date: Wed, 4 Aug 2021 09:57:40 +0200
Subject: [PATCH 04/37] Adjust some tests for whitespace differences in OpenSSL Subject: [PATCH 04/39] Adjust some tests for whitespace differences in OpenSSL
3 3
A trailing newline is no longer present in OpenSSL 3. A trailing newline is no longer present in OpenSSL 3.
@ -454,7 +454,7 @@ index b80c1f71f1..38915157f3 100644
From 676a47080bed2730b892e4ea43b93deb4acea335 Mon Sep 17 00:00:00 2001 From 676a47080bed2730b892e4ea43b93deb4acea335 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 11:55:47 +0200 Date: Wed, 4 Aug 2021 11:55:47 +0200
Subject: [PATCH 05/37] Use different cipher in openssl_seal() test Subject: [PATCH 05/39] Use different cipher in openssl_seal() test
RC4 is insecure and not supported in newer versions. RC4 is insecure and not supported in newer versions.
@ -493,7 +493,7 @@ index 16efb05a66..e23045c992 100644
From 389b4605281975d4ecac92cb3751d18d2e3fd60a Mon Sep 17 00:00:00 2001 From 389b4605281975d4ecac92cb3751d18d2e3fd60a Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 11:58:46 +0200 Date: Wed, 4 Aug 2021 11:58:46 +0200
Subject: [PATCH 06/37] Don't test legacy algorithms in SPKI tests Subject: [PATCH 06/39] Don't test legacy algorithms in SPKI tests
MD4 and RMD160 may not be available on newer OpenSSL versions. MD4 and RMD160 may not be available on newer OpenSSL versions.
@ -634,7 +634,7 @@ index c760d0cb83..35badcda37 100644
From 054aeebb623e6d4a055a4bab60a864f8c7f65675 Mon Sep 17 00:00:00 2001 From 054aeebb623e6d4a055a4bab60a864f8c7f65675 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 12:48:02 +0200 Date: Wed, 4 Aug 2021 12:48:02 +0200
Subject: [PATCH 07/37] Only report provided ciphers in Subject: [PATCH 07/39] Only report provided ciphers in
openssl_get_cipher_methods() openssl_get_cipher_methods()
With OpenSSL 3 ciphers may be registered, but not provided. Make With OpenSSL 3 ciphers may be registered, but not provided. Make
@ -724,7 +724,7 @@ index c674ead34b..16bad9e6b0 100644
From 62fbe1839d980583156b0d22c49753c4666e73e8 Mon Sep 17 00:00:00 2001 From 62fbe1839d980583156b0d22c49753c4666e73e8 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 12:05:02 +0200 Date: Wed, 4 Aug 2021 12:05:02 +0200
Subject: [PATCH 08/37] Avoid RC4 use in another test Subject: [PATCH 08/39] Avoid RC4 use in another test
(cherry picked from commit 503146aa87e48f075f47a093ed7868e323814a66) (cherry picked from commit 503146aa87e48f075f47a093ed7868e323814a66)
--- ---
@ -750,7 +750,7 @@ index 5e551c507f..271a878cdf 100644
From 95e6b2c67de6a63d059b678d14f291487f563163 Mon Sep 17 00:00:00 2001 From 95e6b2c67de6a63d059b678d14f291487f563163 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 15:47:14 +0200 Date: Wed, 4 Aug 2021 15:47:14 +0200
Subject: [PATCH 09/37] Use EVP_PKEY API for Subject: [PATCH 09/39] Use EVP_PKEY API for
openssl_public_encrypt/private_decrypt openssl_public_encrypt/private_decrypt
Use the high level API instead of the deprecated low level API. Use the high level API instead of the deprecated low level API.
@ -954,7 +954,7 @@ index b55b7ced44..eb76dfbf77 100644
From b29b719e4741cde6d1e441e0340f038976cb461b Mon Sep 17 00:00:00 2001 From b29b719e4741cde6d1e441e0340f038976cb461b Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 16:56:32 +0200 Date: Wed, 4 Aug 2021 16:56:32 +0200
Subject: [PATCH 10/37] Use EVP_PKEY APIs for Subject: [PATCH 10/39] Use EVP_PKEY APIs for
openssl_private_encrypt/public_decrypt openssl_private_encrypt/public_decrypt
Use high level APIs instead of deprecated low level APIs. Use high level APIs instead of deprecated low level APIs.
@ -1158,7 +1158,7 @@ index eb76dfbf77..f3eb82067b 100644
From bfdbdfb6bf128c157adfba402b89b0f82be993ab Mon Sep 17 00:00:00 2001 From bfdbdfb6bf128c157adfba402b89b0f82be993ab Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 10:29:50 +0200 Date: Thu, 5 Aug 2021 10:29:50 +0200
Subject: [PATCH 11/37] Use EVP_PKEY APIs for key generation Subject: [PATCH 11/39] Use EVP_PKEY APIs for key generation
Use high level API instead of deprecated low level API. Use high level API instead of deprecated low level API.
@ -1434,7 +1434,7 @@ index 327c916688..12ae0ff0e1 100644
From 8dfe551ef85a874df63d0bb50b2d065c3370fd7e Mon Sep 17 00:00:00 2001 From 8dfe551ef85a874df63d0bb50b2d065c3370fd7e Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 11:50:11 +0200 Date: Thu, 5 Aug 2021 11:50:11 +0200
Subject: [PATCH 12/37] Relax error check Subject: [PATCH 12/39] Relax error check
The precise error is version-dependent, just check that there The precise error is version-dependent, just check that there
is some kind of error reported. is some kind of error reported.
@ -1467,7 +1467,7 @@ index 12ae0ff0e1..3f319b4b24 100644
From 44859f59f3ff3d7cf24ae146e9b0da348e6befcd Mon Sep 17 00:00:00 2001 From 44859f59f3ff3d7cf24ae146e9b0da348e6befcd Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 12:59:13 +0200 Date: Thu, 5 Aug 2021 12:59:13 +0200
Subject: [PATCH 13/37] Store whether pkey object contains private key Subject: [PATCH 13/39] Store whether pkey object contains private key
Rather than querying whether the EVP_PKEY contains private key Rather than querying whether the EVP_PKEY contains private key
information, determine this at time of construction and store it information, determine this at time of construction and store it
@ -1821,7 +1821,7 @@ index d260670ff9..1fca64df15 100644
From c58ef46342a52c8b81ee6f727257a2b471b6d9c3 Mon Sep 17 00:00:00 2001 From c58ef46342a52c8b81ee6f727257a2b471b6d9c3 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 14:59:16 +0200 Date: Thu, 5 Aug 2021 14:59:16 +0200
Subject: [PATCH 14/37] Add test for openssl_dh_compute_key() Subject: [PATCH 14/39] Add test for openssl_dh_compute_key()
This function was not tested at all :( This function was not tested at all :(
@ -1872,7 +1872,7 @@ index 0000000000..8730f4b57d
From fbb478f86081d4d879d1ed644c37842e0d9b1192 Mon Sep 17 00:00:00 2001 From fbb478f86081d4d879d1ed644c37842e0d9b1192 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 14:52:56 +0200 Date: Thu, 5 Aug 2021 14:52:56 +0200
Subject: [PATCH 15/37] Extract php_openssl_pkey_derive() function Subject: [PATCH 15/39] Extract php_openssl_pkey_derive() function
To allow sharing it with the openssl_dh_compute_key() implementation. To allow sharing it with the openssl_dh_compute_key() implementation.
@ -2019,7 +2019,7 @@ index 1fca64df15..bf3f70d355 100644
From f8f202ae92bf2c92cec4ad8d6bf2f57236ccd976 Mon Sep 17 00:00:00 2001 From f8f202ae92bf2c92cec4ad8d6bf2f57236ccd976 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 15:58:20 +0200 Date: Thu, 5 Aug 2021 15:58:20 +0200
Subject: [PATCH 16/37] Avoid DH_compute_key() with OpenSSL 3 Subject: [PATCH 16/39] Avoid DH_compute_key() with OpenSSL 3
Instead construct a proper EVP_PKEY for the public key and Instead construct a proper EVP_PKEY for the public key and
perform a derive operation. perform a derive operation.
@ -2134,7 +2134,7 @@ index bf3f70d355..91d2589aad 100644
From fbb13f6bf183f1d2d95fe2aa48edce300aad5fd7 Mon Sep 17 00:00:00 2001 From fbb13f6bf183f1d2d95fe2aa48edce300aad5fd7 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 14:54:59 +0200 Date: Wed, 4 Aug 2021 14:54:59 +0200
Subject: [PATCH 17/37] Use different algorithm in pkcs7 tests Subject: [PATCH 17/39] Use different algorithm in pkcs7 tests
The default of OPENSSL_CIPHER_RC2_40 is no longer (non-legacy) The default of OPENSSL_CIPHER_RC2_40 is no longer (non-legacy)
supported in OpenSSL 3, specify a newer cipher instead. supported in OpenSSL 3, specify a newer cipher instead.
@ -2205,7 +2205,7 @@ index ef9b25e70b..7a600bc292 100644
From e6d9c6b6cfcc255124bb42b409c29db854ff828d Mon Sep 17 00:00:00 2001 From e6d9c6b6cfcc255124bb42b409c29db854ff828d Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 16:30:55 +0200 Date: Thu, 5 Aug 2021 16:30:55 +0200
Subject: [PATCH 18/37] Use different algorithm in cms tests Subject: [PATCH 18/39] Use different algorithm in cms tests
Same as with pkcs7, switch these tests to use an algorithm that Same as with pkcs7, switch these tests to use an algorithm that
OpenSSL 3 supports out of the box. OpenSSL 3 supports out of the box.
@ -2271,7 +2271,7 @@ index 929f3f2e02..4030862391 100644
From 31e60d155d01253ab42f490fecd0f2a5e537bc47 Mon Sep 17 00:00:00 2001 From 31e60d155d01253ab42f490fecd0f2a5e537bc47 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 17:07:44 +0200 Date: Thu, 5 Aug 2021 17:07:44 +0200
Subject: [PATCH 19/37] Use larger key size for DSA/DH tests Subject: [PATCH 19/39] Use larger key size for DSA/DH tests
OpenSSL 3 validates allowed sizes strictly, pick minimum sizes OpenSSL 3 validates allowed sizes strictly, pick minimum sizes
that are supported. that are supported.
@ -2320,7 +2320,7 @@ index 0b3f91b8fe..4e4bba8aa8 100644
From b93f08093684d24a80857fec7ede1c41f440cff5 Mon Sep 17 00:00:00 2001 From b93f08093684d24a80857fec7ede1c41f440cff5 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 4 Aug 2021 13:54:26 +0200 Date: Wed, 4 Aug 2021 13:54:26 +0200
Subject: [PATCH 20/37] Skip some tests if cipher not available Subject: [PATCH 20/39] Skip some tests if cipher not available
(cherry picked from commit d23a8b33abc3cd7e516563877a3f698b7a94ac10) (cherry picked from commit d23a8b33abc3cd7e516563877a3f698b7a94ac10)
--- ---
@ -2390,7 +2390,7 @@ index 4175e703d2..e846b42e78 100644
From bc8281431c8ce82c232fee5674b945af95bbd860 Mon Sep 17 00:00:00 2001 From bc8281431c8ce82c232fee5674b945af95bbd860 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 5 Aug 2021 16:29:43 +0200 Date: Thu, 5 Aug 2021 16:29:43 +0200
Subject: [PATCH 21/37] Use different cipher in one more CMS test Subject: [PATCH 21/39] Use different cipher in one more CMS test
Followup to ec4d926a80fe93c80d2b52f0178bc627097d9288 -- I failed Followup to ec4d926a80fe93c80d2b52f0178bc627097d9288 -- I failed
to squash in this commit. to squash in this commit.
@ -2443,7 +2443,7 @@ index f1a0c6af8b..ee706ebfba 100644
From c42a69def274fb77cbcb3db4189841e3f582803a Mon Sep 17 00:00:00 2001 From c42a69def274fb77cbcb3db4189841e3f582803a Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 6 Aug 2021 10:35:49 +0200 Date: Fri, 6 Aug 2021 10:35:49 +0200
Subject: [PATCH 22/37] Generate pkcs12_read test inputs on the fly Subject: [PATCH 22/39] Generate pkcs12_read test inputs on the fly
The old p12_with_extra_certs.p12 file uses an unsupported something. The old p12_with_extra_certs.p12 file uses an unsupported something.
@ -2549,7 +2549,7 @@ index b81b4d9dac..8cb2b41fd7 100644
From 8e99695bb1f630edee4ddb44ae78e99190b5efb3 Mon Sep 17 00:00:00 2001 From 8e99695bb1f630edee4ddb44ae78e99190b5efb3 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 6 Aug 2021 11:15:18 +0200 Date: Fri, 6 Aug 2021 11:15:18 +0200
Subject: [PATCH 23/37] Do not special case export of EC keys Subject: [PATCH 23/39] Do not special case export of EC keys
All other private keys are exported in PKCS#8 format, while EC All other private keys are exported in PKCS#8 format, while EC
keys use traditional format. Switch them to use PKCS#8 format as keys use traditional format. Switch them to use PKCS#8 format as
@ -2644,7 +2644,7 @@ index 678b7e7299..5cd68d18b8 100644
From 87bec9d2942be4a87cccb0d28cb3e134d692c312 Mon Sep 17 00:00:00 2001 From 87bec9d2942be4a87cccb0d28cb3e134d692c312 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 6 Aug 2021 16:51:05 +0200 Date: Fri, 6 Aug 2021 16:51:05 +0200
Subject: [PATCH 24/37] Switch manual DH key generation to param API Subject: [PATCH 24/39] Switch manual DH key generation to param API
Instead of using the deprecated low-level interface. Instead of using the deprecated low-level interface.
@ -2833,7 +2833,7 @@ index b360b0506e..06e5adecda 100644
From 0b1f12e24360dad5c6feba319af7e12e2cf72fc1 Mon Sep 17 00:00:00 2001 From 0b1f12e24360dad5c6feba319af7e12e2cf72fc1 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 6 Aug 2021 17:14:58 +0200 Date: Fri, 6 Aug 2021 17:14:58 +0200
Subject: [PATCH 25/37] Switch manual DSA key generation to param API Subject: [PATCH 25/39] Switch manual DSA key generation to param API
This is very similar to the DH case, with the primary difference This is very similar to the DH case, with the primary difference
that priv_key is ignored if pub_key is not given, rather than that priv_key is ignored if pub_key is not given, rather than
@ -3006,7 +3006,7 @@ index 06e5adecda..84a4083807 100644
From d20cf6a278be5561debcd5ce0cc34a6046eac669 Mon Sep 17 00:00:00 2001 From d20cf6a278be5561debcd5ce0cc34a6046eac669 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Sun, 8 Aug 2021 17:39:06 +0200 Date: Sun, 8 Aug 2021 17:39:06 +0200
Subject: [PATCH 26/37] Use OpenSSL NCONF APIs (#7337) Subject: [PATCH 26/39] Use OpenSSL NCONF APIs (#7337)
(cherry picked from commit 94bc5fce261a4a56a545bdfb25d5c2452a07de08) (cherry picked from commit 94bc5fce261a4a56a545bdfb25d5c2452a07de08)
--- ---
@ -3184,7 +3184,7 @@ index 84a4083807..1dda83f71e 100644
From 575c8ddf73c4a343139be225596c5101497e3186 Mon Sep 17 00:00:00 2001 From 575c8ddf73c4a343139be225596c5101497e3186 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net> From: Jakub Zelenka <bukka@php.net>
Date: Sun, 8 Aug 2021 20:54:46 +0100 Date: Sun, 8 Aug 2021 20:54:46 +0100
Subject: [PATCH 27/37] Make CertificateGenerator not dependent on external Subject: [PATCH 27/39] Make CertificateGenerator not dependent on external
config in OpenSSL 3.0 config in OpenSSL 3.0
(cherry picked from commit c90c9c7545427d9d35cbac45c4ec896f54619744) (cherry picked from commit c90c9c7545427d9d35cbac45c4ec896f54619744)
@ -3242,7 +3242,7 @@ index 1dc378e706..4783353a47 100644
From 4da1bade85b14bd1f0aa9cf9f463931de54de2ef Mon Sep 17 00:00:00 2001 From 4da1bade85b14bd1f0aa9cf9f463931de54de2ef Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 9 Aug 2021 10:26:12 +0200 Date: Mon, 9 Aug 2021 10:26:12 +0200
Subject: [PATCH 28/37] Extract EC key initialization Subject: [PATCH 28/39] Extract EC key initialization
(cherry picked from commit 14d7c7e9aee5ab55a92ddc626b7b81c130ea7618) (cherry picked from commit 14d7c7e9aee5ab55a92ddc626b7b81c130ea7618)
--- ---
@ -3513,7 +3513,7 @@ index 1dda83f71e..a595101cf6 100644
From 0b12c49898ef390ce53e33490a842fd384de6902 Mon Sep 17 00:00:00 2001 From 0b12c49898ef390ce53e33490a842fd384de6902 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 9 Aug 2021 12:01:35 +0200 Date: Mon, 9 Aug 2021 12:01:35 +0200
Subject: [PATCH 29/37] Test calculation of EC public key from private key Subject: [PATCH 29/39] Test calculation of EC public key from private key
(cherry picked from commit 246698671f941b2034518ab04f35009b2da77bb1) (cherry picked from commit 246698671f941b2034518ab04f35009b2da77bb1)
--- ---
@ -3557,7 +3557,7 @@ index 0a71393ae3..0b05410c2c 100644
From 6b6b7c28dc81e106f6a1ef96d1f4bc43901764cf Mon Sep 17 00:00:00 2001 From 6b6b7c28dc81e106f6a1ef96d1f4bc43901764cf Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 9 Aug 2021 11:12:20 +0200 Date: Mon, 9 Aug 2021 11:12:20 +0200
Subject: [PATCH 30/37] Use param API for creating EC keys Subject: [PATCH 30/39] Use param API for creating EC keys
Rather than the deprecated low level APIs. Rather than the deprecated low level APIs.
@ -3702,7 +3702,7 @@ index a595101cf6..df057caa8b 100644
From ab4d43be04953eb75b37d532ac5fe42f0464f1be Mon Sep 17 00:00:00 2001 From ab4d43be04953eb75b37d532ac5fe42f0464f1be Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 9 Aug 2021 14:19:33 +0200 Date: Mon, 9 Aug 2021 14:19:33 +0200
Subject: [PATCH 31/37] Extract public key portion via PEM roundtrip Subject: [PATCH 31/39] Extract public key portion via PEM roundtrip
The workaround with cloning the X509_REQ no longer works in The workaround with cloning the X509_REQ no longer works in
OpenSSL 3. Instead extract the public key portion by round OpenSSL 3. Instead extract the public key portion by round
@ -3792,7 +3792,7 @@ index df057caa8b..e86e99c73f 100644
From 7939ffbdcc8d3358306653d7343f2b70204824f9 Mon Sep 17 00:00:00 2001 From 7939ffbdcc8d3358306653d7343f2b70204824f9 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 6 Aug 2021 12:08:07 +0200 Date: Fri, 6 Aug 2021 12:08:07 +0200
Subject: [PATCH 32/37] Use param API for openssl_pkey_get_details() Subject: [PATCH 32/39] Use param API for openssl_pkey_get_details()
Now that the DSA/DH/EC keys are not created using the legacy API, Now that the DSA/DH/EC keys are not created using the legacy API,
we can fetch the details using the param API as well, and not we can fetch the details using the param API as well, and not
@ -3989,7 +3989,7 @@ index e86e99c73f..40f05da9f2 100644
From 35012d2b29254b806e5f376817d22f6c3bab136d Mon Sep 17 00:00:00 2001 From 35012d2b29254b806e5f376817d22f6c3bab136d Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 9 Aug 2021 14:34:12 +0200 Date: Mon, 9 Aug 2021 14:34:12 +0200
Subject: [PATCH 33/37] Add missing unsigned qualifier Subject: [PATCH 33/39] Add missing unsigned qualifier
This previously got lost in the deprecation warning noise. This previously got lost in the deprecation warning noise.
@ -4017,7 +4017,7 @@ index 40f05da9f2..856d7fc4af 100644
From c34296faadc0a9e15e4ca960d573cdf3aabd8742 Mon Sep 17 00:00:00 2001 From c34296faadc0a9e15e4ca960d573cdf3aabd8742 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 9 Aug 2021 14:47:43 +0200 Date: Mon, 9 Aug 2021 14:47:43 +0200
Subject: [PATCH 34/37] Use param API to create RSA key Subject: [PATCH 34/39] Use param API to create RSA key
Instead of deprecated low-level API. Instead of deprecated low-level API.
@ -4240,7 +4240,7 @@ index b2c37f6a87..08c9660f22 100644
From b32adee0fe39c9d0fb981fc7cfe1892c225ba1c3 Mon Sep 17 00:00:00 2001 From b32adee0fe39c9d0fb981fc7cfe1892c225ba1c3 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 10 Aug 2021 11:50:18 +0200 Date: Tue, 10 Aug 2021 11:50:18 +0200
Subject: [PATCH 35/37] Fork openssl_error_string() test for OpenSSL Subject: [PATCH 35/39] Fork openssl_error_string() test for OpenSSL
The used error code differ signficantly, so use a separate test The used error code differ signficantly, so use a separate test
file. file.
@ -4467,7 +4467,7 @@ index 0000000000..b119346fe1
From f99d70f7d8d660c2ded4f8f1700771c227987021 Mon Sep 17 00:00:00 2001 From f99d70f7d8d660c2ded4f8f1700771c227987021 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 10 Aug 2021 12:17:17 +0200 Date: Tue, 10 Aug 2021 12:17:17 +0200
Subject: [PATCH 36/37] Switch dh_param handling to EVP_PKEY API Subject: [PATCH 36/39] Switch dh_param handling to EVP_PKEY API
(cherry picked from commit ef787bae242fdd2e72625bbce6ab4ca466b1ef59) (cherry picked from commit ef787bae242fdd2e72625bbce6ab4ca466b1ef59)
--- ---
@ -4537,7 +4537,7 @@ index 206543ca82..b61234943e 100644
From b3deb9b38d4a52b4582f40d4d32240353db26653 Mon Sep 17 00:00:00 2001 From b3deb9b38d4a52b4582f40d4d32240353db26653 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com> From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 11 Aug 2021 10:11:12 +0200 Date: Wed, 11 Aug 2021 10:11:12 +0200
Subject: [PATCH 37/37] Fix openssl memory leaks Subject: [PATCH 37/39] Fix openssl memory leaks
Some leaks that snuck in during refactorings. Some leaks that snuck in during refactorings.
@ -4575,7 +4575,7 @@ index 9e31f76998..d8102bd4bc 100644
From 02f08ac888b0c5f43468eaf76b59b29a7c2d7c74 Mon Sep 17 00:00:00 2001 From 02f08ac888b0c5f43468eaf76b59b29a7c2d7c74 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net> From: Remi Collet <remi@remirepo.net>
Date: Fri, 10 Sep 2021 11:28:20 +0200 Date: Fri, 10 Sep 2021 11:28:20 +0200
Subject: [PATCH] fix [-Wmaybe-uninitialized] build warnings Subject: [PATCH 38/39] fix [-Wmaybe-uninitialized] build warnings
(cherry picked from commit 6ee96f095ad947ffc820437b2e9e6449000e18a2) (cherry picked from commit 6ee96f095ad947ffc820437b2e9e6449000e18a2)
--- ---
@ -4633,3 +4633,129 @@ index d8102bd4bc..40e6e7ba97 100644
-- --
2.31.1 2.31.1
From b881c41d32928781cb48013692da04fc84ca9107 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sun, 12 Sep 2021 20:30:02 +0100
Subject: [PATCH 39/39] Make OpenSSL tests less dependent on system config
It fixes dependencies on system config if running tests with OpenSSL 3.0
(cherry picked from commit 43f0141d74c1db6e792f3b625ea7f4ae57ff338f)
---
ext/openssl/tests/bug52093.phpt | 6 +++---
ext/openssl/tests/bug72165.phpt | 5 +++--
ext/openssl/tests/bug73711.phpt | 3 +++
ext/openssl/tests/ecc.phpt | 3 +++
.../tests/openssl_error_string_basic_openssl3.phpt | 9 +++++----
5 files changed, 17 insertions(+), 9 deletions(-)
diff --git a/ext/openssl/tests/bug52093.phpt b/ext/openssl/tests/bug52093.phpt
index 63eaceb5ac..162945f914 100644
--- a/ext/openssl/tests/bug52093.phpt
+++ b/ext/openssl/tests/bug52093.phpt
@@ -14,10 +14,10 @@ $dn = array(
"commonName" => "Henrique do N. Angelo",
"emailAddress" => "hnangelo@php.net"
);
-
+$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf'];
$privkey = openssl_pkey_new();
-$csr = openssl_csr_new($dn, $privkey);
-$cert = openssl_csr_sign($csr, null, $privkey, 365, [], PHP_INT_MAX);
+$csr = openssl_csr_new($dn, $privkey, $options);
+$cert = openssl_csr_sign($csr, null, $privkey, 365, $options, PHP_INT_MAX);
var_dump(openssl_x509_parse($cert)['serialNumber']);
?>
--EXPECT--
diff --git a/ext/openssl/tests/bug72165.phpt b/ext/openssl/tests/bug72165.phpt
index 50e8b54100..fb78881fc3 100644
--- a/ext/openssl/tests/bug72165.phpt
+++ b/ext/openssl/tests/bug72165.phpt
@@ -6,8 +6,9 @@ if (!extension_loaded("openssl")) die("skip");
?>
--FILE--
<?php
-$var0 = array(0 => "hello", 1 => "world");
-$var2 = openssl_csr_new(array(0),$var0,null,array(0));
+$var0 = [0 => "hello", 1 => "world"];
+$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf'];
+$var2 = openssl_csr_new([0], $var0, $options, [0]);
?>
--EXPECTF--
Warning: openssl_csr_new(): dn: numeric fild names are not supported in %sbug72165.php on line %d
diff --git a/ext/openssl/tests/bug73711.phpt b/ext/openssl/tests/bug73711.phpt
index 4e4bba8aa8..8ca0101d1a 100644
--- a/ext/openssl/tests/bug73711.phpt
+++ b/ext/openssl/tests/bug73711.phpt
@@ -6,13 +6,16 @@ if (!extension_loaded("openssl")) die("skip openssl not loaded");
?>
--FILE--
<?php
+$config = __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf';
var_dump(openssl_pkey_new([
"private_key_type" => OPENSSL_KEYTYPE_DSA,
"private_key_bits" => 1024,
+ 'config' => $config,
]));
var_dump(openssl_pkey_new([
"private_key_type" => OPENSSL_KEYTYPE_DH,
"private_key_bits" => 512,
+ 'config' => $config,
]));
echo "DONE";
?>
diff --git a/ext/openssl/tests/ecc.phpt b/ext/openssl/tests/ecc.phpt
index 0b05410c2c..1d97b1450a 100644
--- a/ext/openssl/tests/ecc.phpt
+++ b/ext/openssl/tests/ecc.phpt
@@ -4,9 +4,11 @@ openssl_*() with OPENSSL_KEYTYPE_EC
<?php if (!extension_loaded("openssl") || !defined("OPENSSL_KEYTYPE_EC")) print "skip"; ?>
--FILE--
<?php
+$config = __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf';
$args = array(
"curve_name" => "secp384r1",
"private_key_type" => OPENSSL_KEYTYPE_EC,
+ "config" => $config,
);
echo "Testing openssl_pkey_new\n";
$key1 = openssl_pkey_new($args);
@@ -15,6 +17,7 @@ var_dump($key1);
$argsFailed = array(
"curve_name" => "invalid_cuve_name",
"private_key_type" => OPENSSL_KEYTYPE_EC,
+ "config" => $config,
);
$keyFailed = openssl_pkey_new($argsFailed);
diff --git a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt
index b119346fe1..d435a53e30 100644
--- a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt
+++ b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt
@@ -100,18 +100,19 @@ echo "\n";
$err_pem_no_start_line = '0480006C';
// PKEY
+$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf'];
echo "PKEY errors\n";
// file for pkey (file:///) fails when opennig (BIO_new_file)
-@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file);
+@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file, null, $options);
expect_openssl_errors('openssl_pkey_export_to_file opening', ['10000080']);
// file or private pkey is not correct PEM - failing PEM_read_bio_PrivateKey
-@openssl_pkey_export_to_file($csr_file, $output_file);
+@openssl_pkey_export_to_file($csr_file, $output_file, null, $options);
expect_openssl_errors('openssl_pkey_export_to_file pem', ['1E08010C']);
// file to export cannot be written
-@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write);
+@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write, null, $options);
expect_openssl_errors('openssl_pkey_export_to_file write', ['10080002']);
// successful export
-@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd');
+@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd', $options);
expect_openssl_errors('openssl_pkey_export', ['1C800064', '04800065']);
// invalid x509 for getting public key
@openssl_pkey_get_public($private_key_file);
--
2.31.1

View File

@ -68,7 +68,7 @@
Summary: PHP scripting language for creating dynamic web sites Summary: PHP scripting language for creating dynamic web sites
Name: php Name: php
Version: %{upver}%{?rcver:~%{rcver}} Version: %{upver}%{?rcver:~%{rcver}}
Release: 2%{?dist} Release: 3%{?dist}
# All files licensed under PHP version 3.01, except # All files licensed under PHP version 3.01, except
# Zend is licensed under Zend # Zend is licensed under Zend
# TSRM is licensed under BSD # TSRM is licensed under BSD
@ -1538,6 +1538,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
%changelog %changelog
* Mon Sep 13 2021 Remi Collet <remi@remirepo.net> - 8.0.11~RC1-3
- more changes for OpenSSL 3 from PHP 8.1
* Fri Sep 10 2021 Remi Collet <remi@remirepo.net> - 8.0.11~RC1-2 * Fri Sep 10 2021 Remi Collet <remi@remirepo.net> - 8.0.11~RC1-2
- backport changes for OpenSSL 3 from PHP 8.1 - backport changes for OpenSSL 3 from PHP 8.1