From c3a6debc08ebdc1cc336eb2d13aae1988ccbe688 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sat, 10 Oct 2020 21:02:26 +0100 Subject: Bump minimal OpenSSL version to 1.0.2 --- NEWS | 3 +++ UPGRADING | 3 +++ build/php.m4 | 2 +- ext/openssl/config0.m4 | 2 +- ext/openssl/openssl.c | 35 ++++++++++------------------------- ext/openssl/php_openssl.h | 4 +--- ext/openssl/xp_ssl.c | 9 --------- 7 files changed, 19 insertions(+), 39 deletions(-) diff --git a/NEWS b/NEWS index 8bcc093f96..b9e81b417f 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,9 @@ PHP NEWS - hash: . Implemented FR #68109 (Add MurmurHash V3). (Anatol, Michael) +- OpenSSL: + . Bump minimal OpenSSL version to 1.0.2. (Jakub Zelenka) + - PSpell: . Convert resource to object \PSpell. (Sara) . Convert resource to object \PSPellConfig. (Sara) diff --git a/UPGRADING b/UPGRADING index 5d4791675a..c8c8d4b09e 100644 --- a/UPGRADING +++ b/UPGRADING @@ -58,6 +58,9 @@ PHP 8.1 UPGRADE NOTES 9. Other Changes to Extensions ======================================== +- OpenSSL: + . The OpenSSL extension now requires at least OpenSSL version 1.0.2. + ======================================== 10. New Global Constants ======================================== diff --git a/build/php.m4 b/build/php.m4 index 16c5e25fba..fe2f176e3c 100644 --- a/build/php.m4 +++ b/build/php.m4 @@ -1903,7 +1903,7 @@ dnl AC_DEFUN([PHP_SETUP_OPENSSL],[ found_openssl=no - PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.0.1], [found_openssl=yes]) + PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.0.2], [found_openssl=yes]) if test "$found_openssl" = "yes"; then PHP_EVAL_LIBLINE($OPENSSL_LIBS, $1) diff --git a/ext/openssl/config0.m4 b/ext/openssl/config0.m4 index 9df2469363..e08a76897a 100644 --- a/ext/openssl/config0.m4 +++ b/ext/openssl/config0.m4 @@ -1,7 +1,7 @@ PHP_ARG_WITH([openssl], [for OpenSSL support], [AS_HELP_STRING([--with-openssl], - [Include OpenSSL support (requires OpenSSL >= 1.0.1)])]) + [Include OpenSSL support (requires OpenSSL >= 1.0.2)])]) PHP_ARG_WITH([kerberos], [for Kerberos support], diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 18c822ed67..113d0c2ec4 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -1149,13 +1149,6 @@ PHP_MINIT_FUNCTION(openssl) OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); OpenSSL_add_all_algorithms(); - -#if !defined(OPENSSL_NO_AES) && defined(EVP_CIPH_CCM_MODE) && OPENSSL_VERSION_NUMBER < 0x100020000 - EVP_add_cipher(EVP_aes_128_ccm()); - EVP_add_cipher(EVP_aes_192_ccm()); - EVP_add_cipher(EVP_aes_256_ccm()); -#endif - SSL_load_error_strings(); #else OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); @@ -3671,26 +3664,18 @@ static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req case OPENSSL_KEYTYPE_RSA: { RSA* rsaparam; -#if OPENSSL_VERSION_NUMBER < 0x10002000L - /* OpenSSL 1.0.2 deprecates RSA_generate_key */ - PHP_OPENSSL_RAND_ADD_TIME(); - rsaparam = (RSA*)RSA_generate_key(req->priv_key_bits, RSA_F4, NULL, NULL); -#else - { - BIGNUM *bne = (BIGNUM *)BN_new(); - if (BN_set_word(bne, RSA_F4) != 1) { - BN_free(bne); - php_error_docref(NULL, E_WARNING, "Failed setting exponent"); - return NULL; - } - rsaparam = RSA_new(); - PHP_OPENSSL_RAND_ADD_TIME(); - if (rsaparam == NULL || !RSA_generate_key_ex(rsaparam, req->priv_key_bits, bne, NULL)) { - php_openssl_store_errors(); - } + BIGNUM *bne = (BIGNUM *)BN_new(); + if (BN_set_word(bne, RSA_F4) != 1) { BN_free(bne); + php_error_docref(NULL, E_WARNING, "Failed setting exponent"); + return NULL; } -#endif + rsaparam = RSA_new(); + PHP_OPENSSL_RAND_ADD_TIME(); + if (rsaparam == NULL || !RSA_generate_key_ex(rsaparam, req->priv_key_bits, bne, NULL)) { + php_openssl_store_errors(); + } + BN_free(bne); if (rsaparam && EVP_PKEY_assign_RSA(req->priv_key, rsaparam)) { return_val = req->priv_key; } else { diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h index c674ead34b..838832388c 100644 --- a/ext/openssl/php_openssl.h +++ b/ext/openssl/php_openssl.h @@ -35,9 +35,7 @@ extern zend_module_entry openssl_module_entry; #endif #else /* OpenSSL version check */ -#if OPENSSL_VERSION_NUMBER < 0x10002000L -#define PHP_OPENSSL_API_VERSION 0x10001 -#elif OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define PHP_OPENSSL_API_VERSION 0x10002 #else #define PHP_OPENSSL_API_VERSION 0x10100 diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index feb9ee52c1..6fdbf1df16 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -33,11 +33,8 @@ #include #include #include - -#if OPENSSL_VERSION_NUMBER >= 0x10002000L #include #include -#endif #ifdef PHP_WIN32 #include "win32/winutil.h" @@ -80,10 +77,8 @@ #ifndef OPENSSL_NO_TLSEXT #define HAVE_TLS_SNI 1 -#if OPENSSL_VERSION_NUMBER >= 0x10002000L #define HAVE_TLS_ALPN 1 #endif -#endif #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) #define HAVE_SEC_LEVEL 1 @@ -1294,12 +1289,8 @@ static int php_openssl_set_server_ecdh_curve(php_stream *stream, SSL_CTX *ctx) / zvcurve = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "ecdh_curve"); if (zvcurve == NULL) { -#if OPENSSL_VERSION_NUMBER >= 0x10002000L SSL_CTX_set_ecdh_auto(ctx, 1); return SUCCESS; -#else - curve_nid = NID_X9_62_prime256v1; -#endif } else { if (!try_convert_to_string(zvcurve)) { return FAILURE; -- cgit v1.2.1