diff --git a/NEWS b/NEWS index 0e4a16cf6e8a6..48d2a235629c6 100644 --- a/NEWS +++ b/NEWS @@ -94,6 +94,7 @@ PHP NEWS Florian Sowade) . Added X509_PURPOSE_OCSP_HELPER and X509_PURPOSE_TIMESTAMP_SIGN constants. (Vincent Jardin) + . Bumped minimum required OpenSSL version to 1.1.1. (Ayesh Karunaratne) - Output: . Clear output handler status flags during handler initialization. (haszi) diff --git a/UPGRADING b/UPGRADING index 3b080ac78444d..6c1e1def82bbc 100644 --- a/UPGRADING +++ b/UPGRADING @@ -342,6 +342,7 @@ PHP 8.4 UPGRADE NOTES a single entry. . New serial_hex parameter added to openssl_csr_sign to allow setting serial number in the hexadecimal format. + . The OpenSSL extension now requires at least OpenSSL 1.1.1. - Output: . Output handler status flags passed to the flags parameter of ob_start diff --git a/build/php.m4 b/build/php.m4 index e975985fe7498..7e302d0f320ff 100644 --- a/build/php.m4 +++ b/build/php.m4 @@ -1821,7 +1821,7 @@ dnl AC_DEFUN([PHP_SETUP_OPENSSL],[ found_openssl=no - PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.0.2], [found_openssl=yes]) + PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.1.1], [found_openssl=yes]) if test "$found_openssl" = "yes"; then PHP_EVAL_LIBLINE($OPENSSL_LIBS, $1) diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c index 5c3c4b301c598..1d82cf43e0677 100644 --- a/ext/ftp/ftp.c +++ b/ext/ftp/ftp.c @@ -293,9 +293,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const size_t user_len, const char *pa return 0; } -#if OPENSSL_VERSION_NUMBER >= 0x0090605fL ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; -#endif SSL_CTX_set_options(ctx, ssl_ctx_options); /* Allow SSL to re-use sessions. diff --git a/ext/ftp/php_ftp.c b/ext/ftp/php_ftp.c index 8c6c2e900177c..2f0f2b0d64198 100644 --- a/ext/ftp/php_ftp.c +++ b/ext/ftp/php_ftp.c @@ -99,15 +99,13 @@ static void ftp_object_destroy(zend_object *zobj) { PHP_MINIT_FUNCTION(ftp) { -#ifdef HAVE_FTP_SSL -#if OPENSSL_VERSION_NUMBER < 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) +#if defined(HAVE_FTP_SSL) && !defined(LIBRESSL_VERSION_NUMBER) SSL_library_init(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); OpenSSL_add_all_algorithms(); SSL_load_error_strings(); -#endif #endif php_ftp_ce = register_class_FTP_Connection(); diff --git a/ext/openssl/config0.m4 b/ext/openssl/config0.m4 index ffd4e0751cc6b..f449a19d55cd5 100644 --- a/ext/openssl/config0.m4 +++ b/ext/openssl/config0.m4 @@ -1,7 +1,7 @@ PHP_ARG_WITH([openssl], [for OpenSSL support], [AS_HELP_STRING([--with-openssl], - [Include OpenSSL support (requires OpenSSL >= 1.0.2)])]) + [Include OpenSSL support (requires OpenSSL >= 1.1.1)])]) PHP_ARG_WITH([kerberos], [for Kerberos support], diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 1506e6fef45dc..949f5d76245e8 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -61,7 +61,7 @@ #include #endif -#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && !defined(OPENSSL_NO_ENGINE) +#if defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_ENGINE) #include #endif @@ -99,7 +99,7 @@ #define HAVE_EVP_PKEY_EC 1 /* the OPENSSL_EC_EXPLICIT_CURVE value was added - * in OpenSSL 1.1.0; previous versions should + * in OpenSSL 1.1.0; previous versions should * use 0 instead. */ #ifndef OPENSSL_EC_EXPLICIT_CURVE @@ -1269,7 +1269,7 @@ PHP_MINIT_FUNCTION(openssl) php_openssl_pkey_object_handlers.clone_obj = NULL; php_openssl_pkey_object_handlers.compare = zend_objects_not_comparable; -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER) +#ifdef LIBRESSL_VERSION_NUMBER OPENSSL_config(NULL); SSL_library_init(); OpenSSL_add_all_ciphers(); @@ -1309,9 +1309,7 @@ PHP_MINIT_FUNCTION(openssl) php_stream_xport_register("tlsv1.0", php_openssl_ssl_socket_factory); php_stream_xport_register("tlsv1.1", php_openssl_ssl_socket_factory); php_stream_xport_register("tlsv1.2", php_openssl_ssl_socket_factory); -#if OPENSSL_VERSION_NUMBER >= 0x10101000 php_stream_xport_register("tlsv1.3", php_openssl_ssl_socket_factory); -#endif /* override the default tcp socket provider */ php_stream_xport_register("tcp", php_openssl_ssl_socket_factory); @@ -1364,7 +1362,7 @@ PHP_MINFO_FUNCTION(openssl) /* {{{ PHP_MSHUTDOWN_FUNCTION */ PHP_MSHUTDOWN_FUNCTION(openssl) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER) +#ifdef LIBRESSL_VERSION_NUMBER EVP_cleanup(); /* prevent accessing locking callback from unloaded extension */ @@ -1391,9 +1389,7 @@ PHP_MSHUTDOWN_FUNCTION(openssl) php_stream_xport_unregister("tlsv1.0"); php_stream_xport_unregister("tlsv1.1"); php_stream_xport_unregister("tlsv1.2"); -#if OPENSSL_VERSION_NUMBER >= 0x10101000 php_stream_xport_unregister("tlsv1.3"); -#endif /* reinstate the default tcp handler */ php_stream_xport_register("tcp", php_stream_generic_socket_factory); @@ -4609,7 +4605,7 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { EVP_PKEY_CTX_free(ctx); ctx = EVP_PKEY_CTX_new(param_key, NULL); } - + if (EVP_PKEY_check(ctx) || EVP_PKEY_public_check_quick(ctx)) { *is_private = d != NULL; EVP_PKEY_up_ref(param_key); diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h index 304854b4bf91d..3cf83b3d02bde 100644 --- a/ext/openssl/php_openssl.h +++ b/ext/openssl/php_openssl.h @@ -26,7 +26,7 @@ extern zend_module_entry openssl_module_entry; #define PHP_OPENSSL_VERSION PHP_VERSION #include -#if defined(LIBRESSL_VERSION_NUMBER) +#ifdef LIBRESSL_VERSION_NUMBER /* LibreSSL version check */ #if LIBRESSL_VERSION_NUMBER < 0x20700000L #define PHP_OPENSSL_API_VERSION 0x10001 @@ -35,9 +35,7 @@ extern zend_module_entry openssl_module_entry; #endif #else /* OpenSSL version check */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L -#define PHP_OPENSSL_API_VERSION 0x10002 -#elif OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L #define PHP_OPENSSL_API_VERSION 0x10100 #else #define PHP_OPENSSL_API_VERSION 0x30000 diff --git a/ext/openssl/tests/bug80747.phpt b/ext/openssl/tests/bug80747.phpt index b21fc4d9dcda3..2f6c654c9362c 100644 --- a/ext/openssl/tests/bug80747.phpt +++ b/ext/openssl/tests/bug80747.phpt @@ -2,10 +2,6 @@ Bug #80747: Providing RSA key size < 512 generates key that crash PHP --EXTENSIONS-- openssl ---SKIPIF-- -= v1.1.0 required"); -?> --FILE-- = 0x10101000; -$err_pem_no_start_line = $is_111 ? '0909006C': '0906D06C'; +$err_pem_no_start_line = '0909006C'; // PKEY echo "PKEY errors\n"; diff --git a/ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt b/ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt index f0560bd186cdc..7c06881c9be78 100644 --- a/ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt +++ b/ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt @@ -4,9 +4,6 @@ int openssl_x509_checkpurpose ( mixed $x509cert , int $purpose [, array $cainfo marcosptf - --EXTENSIONS-- openssl ---SKIPIF-- - --FILE-- --FILE-- --FILE-- = v1.1.0 required"); if (!function_exists("proc_open")) die("skip no proc_open"); ?> --FILE-- diff --git a/ext/openssl/tests/tls_wrapper.phpt b/ext/openssl/tests/tls_wrapper.phpt index 2220fbc0ac1da..7e3d1121d6759 100644 --- a/ext/openssl/tests/tls_wrapper.phpt +++ b/ext/openssl/tests/tls_wrapper.phpt @@ -5,7 +5,6 @@ openssl --SKIPIF-- --FILE-- --FILE-- --FILE-- = 0x10101000 && !defined(OPENSSL_NO_TLS1_3) +#ifndef OPENSSL_NO_TLS1_3 #define HAVE_TLS13 1 #endif @@ -89,7 +89,7 @@ #define HAVE_TLS_ALPN 1 #endif -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +#ifndef LIBRESSL_VERSION_NUMBER #define HAVE_SEC_LEVEL 1 #endif @@ -676,11 +676,7 @@ static int php_openssl_win_cert_verify_callback(X509_STORE_CTX *x509_store_ctx, { PCCERT_CONTEXT cert_ctx = NULL; PCCERT_CHAIN_CONTEXT cert_chain_ctx = NULL; -#if OPENSSL_VERSION_NUMBER < 0x10100000L - X509 *cert = x509_store_ctx->cert; -#else X509 *cert = X509_STORE_CTX_get0_cert(x509_store_ctx); -#endif php_stream *stream; php_openssl_netstream_data_t *sslsock; diff --git a/php.ini-development b/php.ini-development index 730a400ec9402..2ce934f811932 100644 --- a/php.ini-development +++ b/php.ini-development @@ -928,12 +928,6 @@ default_socket_timeout = 60 ; Be sure to appropriately set the extension_dir directive. ; ;extension=bz2 - -; The ldap extension must be before curl if OpenSSL 1.0.2 and OpenLDAP is used -; otherwise it results in segfault when unloading after using SASL. -; See https://github.com/php/php-src/issues/8620 for more info. -;extension=ldap - ;extension=curl ;extension=ffi ;extension=ftp @@ -942,6 +936,7 @@ default_socket_timeout = 60 ;extension=gettext ;extension=gmp ;extension=intl +;extension=ldap ;extension=mbstring ;extension=exif ; Must be after mbstring as it depends on it ;extension=mysqli diff --git a/php.ini-production b/php.ini-production index 56b0905f2e090..43d24fc372087 100644 --- a/php.ini-production +++ b/php.ini-production @@ -930,12 +930,6 @@ default_socket_timeout = 60 ; Be sure to appropriately set the extension_dir directive. ; ;extension=bz2 - -; The ldap extension must be before curl if OpenSSL 1.0.2 and OpenLDAP is used -; otherwise it results in segfault when unloading after using SASL. -; See https://github.com/php/php-src/issues/8620 for more info. -;extension=ldap - ;extension=curl ;extension=ffi ;extension=ftp @@ -944,6 +938,7 @@ default_socket_timeout = 60 ;extension=gettext ;extension=gmp ;extension=intl +;extension=ldap ;extension=mbstring ;extension=exif ; Must be after mbstring as it depends on it ;extension=mysqli