backport needed changes for OpenSSL 1.1

kohanaworld · Jul 6, 2017 · 4ca75ff · 4ca75ff
1 parent 390f647
commit 4ca75ff
Show file tree

Hide file tree

Showing 8 changed files with 371 additions and 206 deletions.
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
diff --git a/ext/openssl/tests/001.phpt b/ext/openssl/tests/001.phpt
@@ -18,19 +18,20 @@ for ($z = "", $i = 0; $i < 1024; $i++) {
  usleep($i);
 }
 
-$privkey = openssl_pkey_new();
+$conf = array('config' => dirname(__FILE__) . DIRECTORY_SEPARATOR . 'openssl.cnf');
+$privkey = openssl_pkey_new($conf);
 
 if ($privkey === false)
  die("failed to create private key");
 
 $passphrase = "banana";
-$key_file_name = tempnam("/tmp", "ssl");
+$key_file_name = tempnam(sys_get_temp_dir(), "ssl");
 if ($key_file_name === false)
  die("failed to get a temporary filename!");
 
 echo "Export key to file\n";
 
-openssl_pkey_export_to_file($privkey, $key_file_name, $passphrase) or die("failed to export to file $key_file_name");
+openssl_pkey_export_to_file($privkey, $key_file_name, $passphrase, $conf) or die("failed to export to file $key_file_name");
 
 echo "Load key from file - array syntax\n";
 

diff --git a/ext/openssl/tests/bug41033.phpt b/ext/openssl/tests/bug41033.phpt
@@ -13,11 +13,11 @@ $pub = 'file://' . dirname(__FILE__) . '/' . 'bug41033pub.pem';
 
 $prkeyid = openssl_get_privatekey($prv, "1234");
 $ct = "Hello I am some text!";
-openssl_sign($ct, $signature, $prkeyid, OPENSSL_ALGO_DSS1);
+openssl_sign($ct, $signature, $prkeyid, OPENSSL_ALGO_SHA1);
 echo "Signature: ".base64_encode($signature) . "\n";
 
 $pukeyid = openssl_get_publickey($pub);
-$valid = openssl_verify($ct, $signature, $pukeyid, OPENSSL_ALGO_DSS1);
+$valid = openssl_verify($ct, $signature, $pukeyid, OPENSSL_ALGO_SHA1);
 echo "Signature validity: " . $valid . "\n";
 
 

diff --git a/ext/openssl/tests/bug66501.phpt b/ext/openssl/tests/bug66501.phpt
@@ -16,7 +16,7 @@ AwEHoUQDQgAEPq4hbIWHvB51rdWr8ejrjWo4qVNWVugYFtPg/xLQw0mHkIPZ4DvK
 sqOTOnMoezkbSmVVMuwz9flvnqHGmQvmug==
 -----END EC PRIVATE KEY-----';
 $key = openssl_pkey_get_private($pkey);
-$res = openssl_sign($data ='alpha', $sign, $key, 'ecdsa-with-SHA1');
+$res = openssl_sign($data ='alpha', $sign, $key, 'SHA1');
 var_dump($res);
 --EXPECTF--
 bool(true)
diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt
@@ -89,7 +89,7 @@ expect_openssl_errors('openssl_pkey_export_to_file opening', ['02001002', '2006D
 expect_openssl_errors('openssl_pkey_export_to_file pem', ['0906D06C']);
 // file to export cannot be written
 @openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write);
-expect_openssl_errors('openssl_pkey_export_to_file write', ['2006D002', '09072007']);
+expect_openssl_errors('openssl_pkey_export_to_file write', ['2006D002']);
 // succesful export
 @openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd');
 expect_openssl_errors('openssl_pkey_export', ['06065064', '0906A065']);
@@ -105,7 +105,7 @@ expect_openssl_errors('openssl_private_decrypt', ['04065072']);
 // public encrypt and decrypt with failed padding check and padding
 @openssl_public_encrypt("data", $crypted, $public_key_file, 1000);
 @openssl_public_decrypt("data", $crypted, $public_key_file);
-expect_openssl_errors('openssl_private_(en|de)crypt padding', ['0906D06C', '04068076', '0407006A', '04067072']);
+expect_openssl_errors('openssl_private_(en|de)crypt padding', ['0906D06C', '04068076', '04067072']);
 
 // X509
 echo "X509 errors\n";
@@ -126,7 +126,7 @@ expect_openssl_errors('openssl_x509_checkpurpose purpose', ['0B086079']);
 echo "CSR errors\n";
 // file for csr (file:///) fails when opennig (BIO_new_file)
 @openssl_csr_get_subject("file://" . $invalid_file_for_read);
-expect_openssl_errors('openssl_csr_get_subject open', ['02001002', '2006D080', '20068079', '0906D06C']);
+expect_openssl_errors('openssl_csr_get_subject open', ['02001002', '2006D080']);
 // file or str csr is not correct PEM - failing PEM_read_bio_X509_REQ
 @openssl_csr_get_subject($crt_file);
 expect_openssl_errors('openssl_csr_get_subjec pem', ['0906D06C']);

diff --git a/ext/openssl/tests/sni_server.phpt b/ext/openssl/tests/sni_server.phpt
@@ -3,6 +3,8 @@ sni_server
 --SKIPIF--
 <?php
 if (!extension_loaded("openssl")) die("skip openssl not loaded");
+--XFAIL--
+Known to fail with OpenSSL 1.1
 --FILE--
 <?php
 $serverCode = <<<'CODE'

diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
@@ -935,13 +935,9 @@ static int set_local_cert(SSL_CTX *ctx, php_stream *stream TSRMLS_DC) /* {{{ */
 static const SSL_METHOD *php_select_crypto_method(long method_value, int is_client TSRMLS_DC) /* {{{ */
 {
  if (method_value == STREAM_CRYPTO_METHOD_SSLv2) {
-#ifndef OPENSSL_NO_SSL2
- return is_client ? SSLv2_client_method() : SSLv2_server_method();
-#else
  php_error_docref(NULL TSRMLS_CC, E_WARNING,
  "SSLv2 support is not compiled into the OpenSSL library PHP is linked against");
  return NULL;
-#endif
  } else if (method_value == STREAM_CRYPTO_METHOD_SSLv3) {
 #ifndef OPENSSL_NO_SSL3
  return is_client ? SSLv3_client_method() : SSLv3_server_method();
@@ -980,11 +976,6 @@ static long php_get_crypto_method_ctx_flags(long method_flags TSRMLS_DC) /* {{{
 {
  long ssl_ctx_options = SSL_OP_ALL;
 
-#ifndef OPENSSL_NO_SSL2
- if (!(method_flags & STREAM_CRYPTO_METHOD_SSLv2)) {
- ssl_ctx_options |= SSL_OP_NO_SSLv2;
- }
-#endif
 #ifndef OPENSSL_NO_SSL3
  if (!(method_flags & STREAM_CRYPTO_METHOD_SSLv3)) {
  ssl_ctx_options |= SSL_OP_NO_SSLv3;
@@ -1602,7 +1593,6 @@ static zval *capture_session_meta(SSL *ssl_handle) /* {{{ */
 #endif
  case TLS1_VERSION: proto_str = "TLSv1"; break;
  case SSL3_VERSION: proto_str = "SSLv3"; break;
- case SSL2_VERSION: proto_str = "SSLv2"; break;
  default: proto_str = "UNKNOWN";
  }
 
@@ -2416,13 +2406,8 @@ php_stream *php_openssl_ssl_socket_factory(const char *proto, size_t protolen,
  sslsock->enable_on_connect = 1;
  sslsock->method = get_crypto_method(context, STREAM_CRYPTO_METHOD_ANY_CLIENT);
  } else if (strncmp(proto, "sslv2", protolen) == 0) {
-#ifdef OPENSSL_NO_SSL2
  php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv2 support is not compiled into the OpenSSL library PHP is linked against");
  return NULL;
-#else
- sslsock->enable_on_connect = 1;
- sslsock->method = STREAM_CRYPTO_METHOD_SSLv2_CLIENT;
-#endif
  } else if (strncmp(proto, "sslv3", protolen) == 0) {
 #ifdef OPENSSL_NO_SSL3
  php_error_docref(NULL TSRMLS_CC, E_WARNING, "SSLv3 support is not compiled into the OpenSSL library PHP is linked against");

diff --git a/ext/phar/util.c b/ext/phar/util.c
@@ -1531,7 +1531,7 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
  BIO *in;
  EVP_PKEY *key;
  EVP_MD *mdtype = (EVP_MD *) EVP_sha1();
- EVP_MD_CTX md_ctx;
+ EVP_MD_CTX *md_ctx;
 #else
  int tempsig;
 #endif
@@ -1608,7 +1608,8 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
  return FAILURE;
  }
 
- EVP_VerifyInit(&md_ctx, mdtype);
+ md_ctx = EVP_MD_CTX_create();
+ EVP_VerifyInit(md_ctx, mdtype);
  read_len = end_of_phar;
 
  if (read_len > sizeof(buf)) {
@@ -1620,17 +1621,17 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
  php_stream_seek(fp, 0, SEEK_SET);
 
  while (read_size && (len = php_stream_read(fp, (char*)buf, read_size)) > 0) {
- EVP_VerifyUpdate (&md_ctx, buf, len);
+ EVP_VerifyUpdate (md_ctx, buf, len);
  read_len -= (off_t)len;
 
  if (read_len < read_size) {
  read_size = (int)read_len;
  }
  }
 
- if (EVP_VerifyFinal(&md_ctx, (unsigned char *)sig, sig_len, key) != 1) {
+ if (EVP_VerifyFinal(md_ctx, (unsigned char *)sig, sig_len, key) != 1) {
  /* 1: signature verified, 0: signature does not match, -1: failed signature operation */
- EVP_MD_CTX_cleanup(&md_ctx);
+ EVP_MD_CTX_destroy(md_ctx);
 
  if (error) {
  spprintf(error, 0, "broken openssl signature");
@@ -1639,7 +1640,7 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
  return FAILURE;
  }
 
- EVP_MD_CTX_cleanup(&md_ctx);
+ EVP_MD_CTX_destroy(md_ctx);
 #endif
 
  *signature_len = phar_hex_str((const char*)sig, sig_len, signature TSRMLS_CC);