Bump minimal OpenSSL version to 1.0.2

diff --git a/NEWS b/NEWS
index 8bcc093f9665d2aa0352fcc220325a122698144d..b9e81b417f60c82b4f17ac9dc1b163d719a92c9c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,9 @@ PHP                                                                        NEWS
 - hash:
   . Implemented FR #68109 (Add MurmurHash V3). (Anatol, Michael)
 
+- OpenSSL:
+  . Bump minimal OpenSSL version to 1.0.2. (Jakub Zelenka)
+
 - PSpell:
   . Convert resource<pspell> to object \PSpell. (Sara)
   . Convert resource<pspell config> to object \PSPellConfig. (Sara)

diff --git a/UPGRADING b/UPGRADING
index 5d4791675ab5f93422a3dcacddf226f1b5fecd0a..c8c8d4b09e0891f1fffb6c2033d4cf3ec6635eb3 100644 (file)
--- a/UPGRADING
+++ b/UPGRADING
@@ -58,6 +58,9 @@ PHP 8.1 UPGRADE NOTES
 9. Other Changes to Extensions
 ========================================
 
+- OpenSSL:
+  . The OpenSSL extension now requires at least OpenSSL version 1.0.2.
+
 ========================================
 10. New Global Constants
 ========================================

diff --git a/build/php.m4 b/build/php.m4
index 16c5e25fbaab0cb17d378a6ccddc14ac57d5a74c..fe2f176e3cb332179043e9a82abea5716653eeb0 100644 (file)
--- a/build/php.m4
+++ b/build/php.m4
@@ -1903,7 +1903,7 @@ dnl
 AC_DEFUN([PHP_SETUP_OPENSSL],[
   found_openssl=no
 
-  PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.0.1], [found_openssl=yes])
+  PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.0.2], [found_openssl=yes])
 
   if test "$found_openssl" = "yes"; then
     PHP_EVAL_LIBLINE($OPENSSL_LIBS, $1)

diff --git a/ext/openssl/config0.m4 b/ext/openssl/config0.m4
index 9df2469363fa6e5cff0a50f8a3a801ddc5df7dfb..e08a76897aeeb3a67a42e3b63d00d69f02e7787b 100644 (file)
--- a/ext/openssl/config0.m4
+++ b/ext/openssl/config0.m4
@@ -1,7 +1,7 @@
 PHP_ARG_WITH([openssl],
   [for OpenSSL support],
   [AS_HELP_STRING([--with-openssl],
-    [Include OpenSSL support (requires OpenSSL >= 1.0.1)])])
+    [Include OpenSSL support (requires OpenSSL >= 1.0.2)])])
 
 PHP_ARG_WITH([kerberos],
   [for Kerberos support],

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 18c822ed676a699599c528e8fe7a822d0beb306a..113d0c2ec4aa8beb2a41f2686ba740bc66c2b732 100644 (file)
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1149,13 +1149,6 @@ PHP_MINIT_FUNCTION(openssl)
        OpenSSL_add_all_ciphers();
        OpenSSL_add_all_digests();
        OpenSSL_add_all_algorithms();
-
-#if !defined(OPENSSL_NO_AES) && defined(EVP_CIPH_CCM_MODE) && OPENSSL_VERSION_NUMBER < 0x100020000
-       EVP_add_cipher(EVP_aes_128_ccm());
-       EVP_add_cipher(EVP_aes_192_ccm());
-       EVP_add_cipher(EVP_aes_256_ccm());
-#endif
-
        SSL_load_error_strings();
 #else
        OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
@@ -3671,26 +3664,18 @@ static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req
                        case OPENSSL_KEYTYPE_RSA:
                                {
                                        RSA* rsaparam;
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
-                                       /* OpenSSL 1.0.2 deprecates RSA_generate_key */
-                                       PHP_OPENSSL_RAND_ADD_TIME();
-                                       rsaparam = (RSA*)RSA_generate_key(req->priv_key_bits, RSA_F4, NULL, NULL);
-#else
-                                       {
-                                               BIGNUM *bne = (BIGNUM *)BN_new();
-                                               if (BN_set_word(bne, RSA_F4) != 1) {
-                                                       BN_free(bne);
-                                                       php_error_docref(NULL, E_WARNING, "Failed setting exponent");
-                                                       return NULL;
-                                               }
-                                               rsaparam = RSA_new();
-                                               PHP_OPENSSL_RAND_ADD_TIME();
-                                               if (rsaparam == NULL || !RSA_generate_key_ex(rsaparam, req->priv_key_bits, bne, NULL)) {
-                                                       php_openssl_store_errors();
-                                               }
+                                       BIGNUM *bne = (BIGNUM *)BN_new();
+                                       if (BN_set_word(bne, RSA_F4) != 1) {
                                                BN_free(bne);
+                                               php_error_docref(NULL, E_WARNING, "Failed setting exponent");
+                                               return NULL;
                                        }
-#endif
+                                       rsaparam = RSA_new();
+                                       PHP_OPENSSL_RAND_ADD_TIME();
+                                       if (rsaparam == NULL || !RSA_generate_key_ex(rsaparam, req->priv_key_bits, bne, NULL)) {
+                                               php_openssl_store_errors();
+                                       }
+                                       BN_free(bne);
                                        if (rsaparam && EVP_PKEY_assign_RSA(req->priv_key, rsaparam)) {
                                                return_val = req->priv_key;
                                        } else {

diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h
index c674ead34b28acc282045ae928bc5311c5510d82..838832388c5565b0aea8e9801214593252a73052 100644 (file)
--- a/ext/openssl/php_openssl.h
+++ b/ext/openssl/php_openssl.h
@@ -35,9 +35,7 @@ extern zend_module_entry openssl_module_entry;
 #endif
 #else
 /* OpenSSL version check */
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
-#define PHP_OPENSSL_API_VERSION 0x10001
-#elif OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 #define PHP_OPENSSL_API_VERSION 0x10002
 #else
 #define PHP_OPENSSL_API_VERSION 0x10100

diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index feb9ee52c11649757a51d355242920029dc1deb8..6fdbf1df16bfedb7a558459754998f89eab3d5c5 100644 (file)
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -33,11 +33,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/err.h>
-
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#endif
 
 #ifdef PHP_WIN32
 #include "win32/winutil.h"
@@ -80,10 +77,8 @@
 
 #ifndef OPENSSL_NO_TLSEXT
 #define HAVE_TLS_SNI 1
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 #define HAVE_TLS_ALPN 1
 #endif
-#endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 #define HAVE_SEC_LEVEL 1
@@ -1294,12 +1289,8 @@ static int php_openssl_set_server_ecdh_curve(php_stream *stream, SSL_CTX *ctx) /
 
        zvcurve = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "ecdh_curve");
        if (zvcurve == NULL) {
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
                SSL_CTX_set_ecdh_auto(ctx, 1);
                return SUCCESS;
-#else
-               curve_nid = NID_X9_62_prime256v1;
-#endif
        } else {
                if (!try_convert_to_string(zvcurve)) {
                        return FAILURE;