From 32e6d08dcd25418c96d8fe2218802a07fdf3363d Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sat, 27 Apr 2019 11:17:28 -0700 Subject: [PATCH] Fix compilation without deprecated OpenSSL 1.1 APIs --- ext/ftp/php_ftp.c | 2 ++ ext/openssl/openssl.c | 26 ++++++++++++++++---------- ext/openssl/xp_ssl.c | 14 +++++++++++++- 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/ext/ftp/php_ftp.c b/ext/ftp/php_ftp.c index 5bd1fa70cc..e3b425ef0f 100644 --- a/ext/ftp/php_ftp.c +++ b/ext/ftp/php_ftp.c @@ -318,12 +318,14 @@ static void ftp_destructor_ftpbuf(zend_resource *rsrc) PHP_MINIT_FUNCTION(ftp) { #ifdef HAVE_FTP_SSL +#if OPENSSL_VERSION_NUMBER < 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) SSL_library_init(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); OpenSSL_add_all_algorithms(); SSL_load_error_strings(); +#endif #endif le_ftpbuf = zend_register_list_destructors_ex(ftp_destructor_ftpbuf, NULL, le_ftpbuf_name, module_number); diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 7d40c85882..3bf569cce1 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -705,6 +705,12 @@ static int X509_get_signature_nid(const X509 *x) #endif +#define OpenSSL_version SSLeay_version +#define OPENSSL_VERSION SSLEAY_VERSION +#define X509_getm_notBefore X509_get_notBefore +#define X509_getm_notAfter X509_get_notAfter +#define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_cleanup + #endif /* }}} */ @@ -1617,7 +1623,7 @@ PHP_MINFO_FUNCTION(openssl) { php_info_print_table_start(); php_info_print_table_row(2, "OpenSSL support", "enabled"); - php_info_print_table_row(2, "OpenSSL Library Version", SSLeay_version(SSLEAY_VERSION)); + php_info_print_table_row(2, "OpenSSL Library Version", OpenSSL_version(OPENSSL_VERSION)); php_info_print_table_row(2, "OpenSSL Header Version", OPENSSL_VERSION_TEXT); php_info_print_table_row(2, "Openssl default config", default_ssl_conf_filename); php_info_print_table_end(); @@ -2420,11 +2426,11 @@ PHP_FUNCTION(openssl_x509_parse) add_assoc_string(return_value, "serialNumberHex", hex_serial); OPENSSL_free(hex_serial); - php_openssl_add_assoc_asn1_string(return_value, "validFrom", X509_get_notBefore(cert)); - php_openssl_add_assoc_asn1_string(return_value, "validTo", X509_get_notAfter(cert)); + php_openssl_add_assoc_asn1_string(return_value, "validFrom", X509_getm_notBefore(cert)); + php_openssl_add_assoc_asn1_string(return_value, "validTo", X509_getm_notAfter(cert)); - add_assoc_long(return_value, "validFrom_time_t", php_openssl_asn1_time_to_time_t(X509_get_notBefore(cert))); - add_assoc_long(return_value, "validTo_time_t", php_openssl_asn1_time_to_time_t(X509_get_notAfter(cert))); + add_assoc_long(return_value, "validFrom_time_t", php_openssl_asn1_time_to_time_t(X509_getm_notBefore(cert))); + add_assoc_long(return_value, "validTo_time_t", php_openssl_asn1_time_to_time_t(X509_getm_notAfter(cert))); tmpstr = (char *)X509_alias_get0(cert, NULL); if (tmpstr) { @@ -3525,8 +3531,8 @@ PHP_FUNCTION(openssl_csr_sign) php_openssl_store_errors(); goto cleanup; } - X509_gmtime_adj(X509_get_notBefore(new_cert), 0); - X509_gmtime_adj(X509_get_notAfter(new_cert), 60*60*24*(long)num_days); + X509_gmtime_adj(X509_getm_notBefore(new_cert), 0); + X509_gmtime_adj(X509_getm_notAfter(new_cert), 60*60*24*(long)num_days); i = X509_set_pubkey(new_cert, key); if (!i) { php_openssl_store_errors(); @@ -6197,7 +6203,7 @@ PHP_FUNCTION(openssl_seal) /* allocate one byte extra to make room for \0 */ buf = emalloc(data_len + EVP_CIPHER_CTX_block_size(ctx)); - EVP_CIPHER_CTX_cleanup(ctx); + EVP_CIPHER_CTX_reset(ctx); if (EVP_SealInit(ctx, cipher, eks, eksl, &iv_buf[0], pkeys, nkeys) <= 0 || !EVP_SealUpdate(ctx, buf, &len1, (unsigned char *)data, (int)data_len) || @@ -6739,7 +6745,7 @@ PHP_OPENSSL_API zend_string* php_openssl_encrypt(char *data, size_t data_len, ch if (free_iv) { efree(iv); } - EVP_CIPHER_CTX_cleanup(cipher_ctx); + EVP_CIPHER_CTX_reset(cipher_ctx); EVP_CIPHER_CTX_free(cipher_ctx); return outbuf; } @@ -6834,7 +6840,7 @@ PHP_OPENSSL_API zend_string* php_openssl_decrypt(char *data, size_t data_len, ch if (base64_str) { zend_string_release_ex(base64_str, 0); } - EVP_CIPHER_CTX_cleanup(cipher_ctx); + EVP_CIPHER_CTX_reset(cipher_ctx); EVP_CIPHER_CTX_free(cipher_ctx); return outbuf; } diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index 09d1bcbf3e..caf812d83d 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -60,9 +60,19 @@ #define STREAM_CRYPTO_METHOD_TLSv1_2 (1<<5) #define STREAM_CRYPTO_METHOD_TLSv1_3 (1<<6) +#ifndef OPENSSL_NO_TLS1_METHOD +#define HAVE_TLS1 1 +#endif + +#ifndef OPENSSL_NO_TLS1_1_METHOD #define HAVE_TLS11 1 +#endif + +#ifndef OPENSSL_NO_TLS1_2_METHOD #define HAVE_TLS12 1 -#if OPENSSL_VERSION_NUMBER >= 0x10101000 +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(OPENSSL_NO_TLS1_3) #define HAVE_TLS13 1 #endif @@ -995,9 +1005,11 @@ static int php_openssl_get_crypto_method_ctx_flags(int method_flags) /* {{{ */ ssl_ctx_options |= SSL_OP_NO_SSLv3; } #endif +#ifdef HAVE_TLS1 if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_0)) { ssl_ctx_options |= SSL_OP_NO_TLSv1; } +#endif #ifdef HAVE_TLS11 if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_1)) { ssl_ctx_options |= SSL_OP_NO_TLSv1_1; -- 2.40.0