diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 919431e113092..c7ffcee8d512c 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -3974,20 +3974,11 @@ PHP_FUNCTION(openssl_sign) md_ctx = EVP_MD_CTX_create(); size_t siglen; -#if PHP_OPENSSL_API_VERSION >= 0x10100 if (md_ctx != NULL && EVP_DigestSignInit(md_ctx, NULL, mdtype, NULL, pkey) && EVP_DigestSign(md_ctx, NULL, &siglen, (unsigned char*)data, data_len) && (sigbuf = zend_string_alloc(siglen, 0)) != NULL && EVP_DigestSign(md_ctx, (unsigned char*)ZSTR_VAL(sigbuf), &siglen, (unsigned char*)data, data_len)) { -#else - if (md_ctx != NULL && - EVP_SignInit(md_ctx, mdtype) && - EVP_SignUpdate(md_ctx, data, data_len) && - (siglen = EVP_PKEY_size(pkey)) && - (sigbuf = zend_string_alloc(siglen, 0)) != NULL && - EVP_SignFinal(md_ctx, (unsigned char*)ZSTR_VAL(sigbuf), (unsigned int*)&siglen, pkey)) { -#endif ZSTR_VAL(sigbuf)[siglen] = '\0'; ZSTR_LEN(sigbuf) = siglen; ZEND_TRY_ASSIGN_REF_NEW_STR(signature, sigbuf); @@ -4048,14 +4039,8 @@ PHP_FUNCTION(openssl_verify) md_ctx = EVP_MD_CTX_create(); if (md_ctx == NULL || -#if PHP_OPENSSL_API_VERSION >= 0x10100 !EVP_DigestVerifyInit(md_ctx, NULL, mdtype, NULL, pkey) || (err = EVP_DigestVerify(md_ctx, (unsigned char *)signature, signature_len, (unsigned char*)data, data_len)) < 0) { -#else - !EVP_VerifyInit (md_ctx, mdtype) || - !EVP_VerifyUpdate (md_ctx, data, data_len) || - (err = EVP_VerifyFinal(md_ctx, (unsigned char *)signature, (unsigned int)signature_len, pkey)) < 0) { -#endif php_openssl_store_errors(); } EVP_MD_CTX_destroy(md_ctx); diff --git a/ext/openssl/openssl.stub.php b/ext/openssl/openssl.stub.php index 1f8c6f7fbdbec..1fe3a9fc168eb 100644 --- a/ext/openssl/openssl.stub.php +++ b/ext/openssl/openssl.stub.php @@ -86,14 +86,6 @@ */ const OPENSSL_ALGO_MD2 = UNKNOWN; #endif -#if PHP_OPENSSL_API_VERSION < 0x10100 -/** - * @var int - * @cvalue OPENSSL_ALGO_DSS1 - */ -const OPENSSL_ALGO_DSS1 = UNKNOWN; -#endif - /** * @var int * @cvalue OPENSSL_ALGO_SHA224 diff --git a/ext/openssl/openssl_arginfo.h b/ext/openssl/openssl_arginfo.h index 04d7c4163db9d..94f59ce268510 100644 --- a/ext/openssl/openssl_arginfo.h +++ b/ext/openssl/openssl_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 32bd0ec5db046bfe3bba8a5d3fe1c0c51ff89e00 */ + * Stub hash: a42bd7dec0a5e011983ce08b5e31cd8718247501 */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_x509_export_to_file, 0, 2, _IS_BOOL, 0) ZEND_ARG_OBJ_TYPE_MASK(0, certificate, OpenSSLCertificate, MAY_BE_STRING, NULL) @@ -564,9 +564,6 @@ static void register_openssl_symbols(int module_number) #endif #if !defined(OPENSSL_NO_MD2) REGISTER_LONG_CONSTANT("OPENSSL_ALGO_MD2", OPENSSL_ALGO_MD2, CONST_PERSISTENT); -#endif -#if PHP_OPENSSL_API_VERSION < 0x10100 - REGISTER_LONG_CONSTANT("OPENSSL_ALGO_DSS1", OPENSSL_ALGO_DSS1, CONST_PERSISTENT); #endif REGISTER_LONG_CONSTANT("OPENSSL_ALGO_SHA224", OPENSSL_ALGO_SHA224, CONST_PERSISTENT); REGISTER_LONG_CONSTANT("OPENSSL_ALGO_SHA256", OPENSSL_ALGO_SHA256, CONST_PERSISTENT); diff --git a/ext/openssl/openssl_backend_common.c b/ext/openssl/openssl_backend_common.c index 8fcb81f9a027e..2ed5f923bff47 100644 --- a/ext/openssl/openssl_backend_common.c +++ b/ext/openssl/openssl_backend_common.c @@ -461,7 +461,6 @@ zend_result php_openssl_write_rand_file(const char * file, int egdsocket, int se if (file == NULL) { file = RAND_file_name(buffer, sizeof(buffer)); } - PHP_OPENSSL_RAND_ADD_TIME(); if (file == NULL || !RAND_write_file(file)) { php_openssl_store_errors(); php_error_docref(NULL, E_WARNING, "Unable to write random state"); @@ -489,11 +488,6 @@ EVP_MD * php_openssl_get_evp_md_from_algo(zend_long algo) { case OPENSSL_ALGO_MD2: mdtype = (EVP_MD *) EVP_md2(); break; -#endif -#if PHP_OPENSSL_API_VERSION < 0x10100 - case OPENSSL_ALGO_DSS1: - mdtype = (EVP_MD *) EVP_dss1(); - break; #endif case OPENSSL_ALGO_SHA224: mdtype = (EVP_MD *) EVP_sha224(); @@ -1510,7 +1504,6 @@ EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req) int egdsocket, seeded; char *randfile = php_openssl_conf_get_string(req->req_config, req->section_name, "RANDFILE"); php_openssl_load_rand_file(randfile, &egdsocket, &seeded); - PHP_OPENSSL_RAND_ADD_TIME(); EVP_PKEY *key = NULL; EVP_PKEY *params = NULL; @@ -1700,11 +1693,9 @@ void php_openssl_load_cipher_mode(struct php_openssl_cipher_mode *mode, const EV int cipher_mode = EVP_CIPHER_mode(cipher_type); memset(mode, 0, sizeof(struct php_openssl_cipher_mode)); switch (cipher_mode) { -#if PHP_OPENSSL_API_VERSION >= 0x10100 - /* Since OpenSSL 1.1, all AEAD ciphers use a common framework. We check for - * EVP_CIPH_OCB_MODE, because LibreSSL does not support it. */ case EVP_CIPH_GCM_MODE: case EVP_CIPH_CCM_MODE: + /* We check for EVP_CIPH_OCB_MODE, because LibreSSL does not support it. */ # ifdef EVP_CIPH_OCB_MODE case EVP_CIPH_OCB_MODE: /* For OCB mode, explicitly set the tag length even when decrypting, @@ -1721,28 +1712,7 @@ void php_openssl_load_cipher_mode(struct php_openssl_cipher_mode *mode, const EV php_openssl_set_aead_flags(mode); } break; - # endif -#else -# ifdef EVP_CIPH_GCM_MODE - case EVP_CIPH_GCM_MODE: - mode->is_aead = 1; - mode->aead_get_tag_flag = EVP_CTRL_GCM_GET_TAG; - mode->aead_set_tag_flag = EVP_CTRL_GCM_SET_TAG; - mode->aead_ivlen_flag = EVP_CTRL_GCM_SET_IVLEN; - break; -# endif -# ifdef EVP_CIPH_CCM_MODE - case EVP_CIPH_CCM_MODE: - mode->is_aead = 1; - mode->is_single_run_aead = 1; - mode->set_tag_length_when_encrypting = 1; - mode->aead_get_tag_flag = EVP_CTRL_CCM_GET_TAG; - mode->aead_set_tag_flag = EVP_CTRL_CCM_SET_TAG; - mode->aead_ivlen_flag = EVP_CTRL_CCM_SET_IVLEN; - break; -# endif -#endif } } @@ -2121,7 +2091,6 @@ PHP_OPENSSL_API zend_string* php_openssl_random_pseudo_bytes(zend_long buffer_le buffer = zend_string_alloc(buffer_length, 0); PHP_OPENSSL_CHECK_LONG_TO_INT_NULL_RETURN(buffer_length, length); - PHP_OPENSSL_RAND_ADD_TIME(); if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), (int)buffer_length) <= 0) { zend_string_release_ex(buffer, 0); zend_throw_exception(zend_ce_exception, "Error reading from source device", 0); diff --git a/ext/openssl/openssl_backend_v1.c b/ext/openssl/openssl_backend_v1.c index dfdb7b014060a..59988451bbbd0 100644 --- a/ext/openssl/openssl_backend_v1.c +++ b/ext/openssl/openssl_backend_v1.c @@ -116,7 +116,6 @@ static bool php_openssl_pkey_init_dsa_data(DSA *dsa, zval *data, bool *is_privat } /* generate key */ - PHP_OPENSSL_RAND_ADD_TIME(); if (!DSA_generate_key(dsa)) { php_openssl_store_errors(); return 0; @@ -185,7 +184,6 @@ static bool php_openssl_pkey_init_dh_data(DH *dh, zval *data, bool *is_private) } /* generate key */ - PHP_OPENSSL_RAND_ADD_TIME(); if (!DH_generate_key(dh)) { php_openssl_store_errors(); return 0; @@ -341,7 +339,6 @@ static bool php_openssl_pkey_init_ec_data(EC_KEY *eckey, zval *data, bool *is_pr if (!EC_KEY_check_key(eckey)) { *is_private = true; - PHP_OPENSSL_RAND_ADD_TIME(); EC_KEY_generate_key(eckey); } diff --git a/ext/openssl/openssl_backend_v3.c b/ext/openssl/openssl_backend_v3.c index b4508b070c738..76965d66e65a7 100644 --- a/ext/openssl/openssl_backend_v3.c +++ b/ext/openssl/openssl_backend_v3.c @@ -143,7 +143,6 @@ EVP_PKEY *php_openssl_pkey_init_dsa(zval *data, bool *is_private) pkey = param_key; } else { *is_private = true; - PHP_OPENSSL_RAND_ADD_TIME(); EVP_PKEY_CTX_free(ctx); ctx = EVP_PKEY_CTX_new(param_key, NULL); if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) { @@ -219,7 +218,6 @@ EVP_PKEY *php_openssl_pkey_init_dh(zval *data, bool *is_private) pkey = param_key; } else { *is_private = true; - PHP_OPENSSL_RAND_ADD_TIME(); EVP_PKEY_CTX_free(ctx); ctx = EVP_PKEY_CTX_new(param_key, NULL); if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) { @@ -407,7 +405,6 @@ EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { pkey = param_key; } else { *is_private = true; - PHP_OPENSSL_RAND_ADD_TIME(); if (EVP_PKEY_keygen_init(ctx) != 1 || EVP_PKEY_CTX_set_params(ctx, params) != 1 || EVP_PKEY_generate(ctx, &pkey) != 1) { @@ -482,7 +479,6 @@ void php_openssl_pkey_object_curve_25519_448(zval *return_value, int key_type, z is_private = priv_key != NULL; } else { is_private = true; - PHP_OPENSSL_RAND_ADD_TIME(); if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) { goto cleanup; } diff --git a/ext/openssl/php_openssl_backend.h b/ext/openssl/php_openssl_backend.h index f48e3b0761ffb..158b4e27712f9 100644 --- a/ext/openssl/php_openssl_backend.h +++ b/ext/openssl/php_openssl_backend.h @@ -118,9 +118,7 @@ enum php_openssl_encoding { #ifndef OPENSSL_NO_MD2 #define OPENSSL_ALGO_MD2 4 #endif -#if PHP_OPENSSL_API_VERSION < 0x10100 -#define OPENSSL_ALGO_DSS1 5 -#endif +/* Number 5 was used for OPENSSL_ALGO_DSS1 which is no longer available */ #define OPENSSL_ALGO_SHA224 6 #define OPENSSL_ALGO_SHA256 7 #define OPENSSL_ALGO_SHA384 8 @@ -220,23 +218,6 @@ const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(zend_long algo); int php_openssl_parse_config(struct php_x509_request * req, zval * optional_args); void php_openssl_dispose_config(struct php_x509_request * req); - -#if defined(PHP_WIN32) || PHP_OPENSSL_API_VERSION >= 0x10100 -#define PHP_OPENSSL_RAND_ADD_TIME() ((void) 0) -#else -#define PHP_OPENSSL_RAND_ADD_TIME() php_openssl_rand_add_timeval() - -static inline void php_openssl_rand_add_timeval(void) /* {{{ */ -{ - struct timeval tv; - - gettimeofday(&tv, NULL); - RAND_add(&tv, sizeof(tv), 0.0); -} -/* }}} */ - -#endif - zend_result php_openssl_load_rand_file(const char * file, int *egdsocket, int *seeded); zend_result php_openssl_write_rand_file(const char * file, int egdsocket, int seeded); @@ -279,7 +260,7 @@ X509_REQ *php_openssl_csr_from_str(zend_string *csr_str, uint32_t arg_num); X509_REQ *php_openssl_csr_from_param( zend_object *csr_obj, zend_string *csr_str, uint32_t arg_num); -#if PHP_OPENSSL_API_VERSION >= 0x10100 && !defined (LIBRESSL_VERSION_NUMBER) +#if !defined (LIBRESSL_VERSION_NUMBER) #define PHP_OPENSSL_ASN1_INTEGER_set ASN1_INTEGER_set_int64 #else #define PHP_OPENSSL_ASN1_INTEGER_set ASN1_INTEGER_set @@ -349,14 +330,12 @@ struct php_openssl_cipher_mode { int aead_ivlen_flag; }; -#if PHP_OPENSSL_API_VERSION >= 0x10100 static inline void php_openssl_set_aead_flags(struct php_openssl_cipher_mode *mode) { mode->is_aead = true; mode->aead_get_tag_flag = EVP_CTRL_AEAD_GET_TAG; mode->aead_set_tag_flag = EVP_CTRL_AEAD_SET_TAG; mode->aead_ivlen_flag = EVP_CTRL_AEAD_SET_IVLEN; } -#endif void php_openssl_load_cipher_mode(struct php_openssl_cipher_mode *mode, const EVP_CIPHER *cipher_type); zend_result php_openssl_validate_iv(const char **piv, size_t *piv_len, size_t iv_required_len, @@ -375,6 +354,4 @@ zend_result php_openssl_cipher_update(const EVP_CIPHER *cipher_type, const EVP_CIPHER *php_openssl_get_evp_cipher_by_name(const char *method); - #endif - diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index 92168c16175a1..03c18f9be71a2 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -148,10 +148,6 @@ #define HAVE_IPV6_SAN 1 #endif -#if PHP_OPENSSL_API_VERSION < 0x10100 -static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength); -#endif - extern php_stream* php_openssl_get_stream_from_ssl_handle(const SSL *ssl); extern zend_string* php_openssl_x509_fingerprint(X509 *peer, const char *method, bool raw); extern int php_openssl_get_ssl_stream_data_index(void); @@ -987,45 +983,6 @@ static zend_result php_openssl_set_local_cert(SSL_CTX *ctx, php_stream *stream) } /* }}} */ -#if PHP_OPENSSL_API_VERSION < 0x10100 -static int php_openssl_get_crypto_method_ctx_flags(int method_flags) /* {{{ */ -{ - int ssl_ctx_options = SSL_OP_ALL; - -#ifdef SSL_OP_NO_SSLv2 - ssl_ctx_options |= SSL_OP_NO_SSLv2; -#endif -#ifdef HAVE_SSL3 - if (!(method_flags & STREAM_CRYPTO_METHOD_SSLv3)) { - ssl_ctx_options |= SSL_OP_NO_SSLv3; - } -#endif -#ifdef HAVE_TLS1 - if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_0)) { - ssl_ctx_options |= SSL_OP_NO_TLSv1; - } -#endif -#ifdef HAVE_TLS11 - if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_1)) { - ssl_ctx_options |= SSL_OP_NO_TLSv1_1; - } -#endif -#ifdef HAVE_TLS12 - if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_2)) { - ssl_ctx_options |= SSL_OP_NO_TLSv1_2; - } -#endif -#ifdef HAVE_TLS13 - if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_3)) { - ssl_ctx_options |= SSL_OP_NO_TLSv1_3; - } -#endif - - return ssl_ctx_options; -} -/* }}} */ -#endif - static inline int php_openssl_get_min_proto_version_flag(int flags) /* {{{ */ { int ver; @@ -1050,7 +1007,6 @@ static inline int php_openssl_get_max_proto_version_flag(int flags) /* {{{ */ } /* }}} */ -#if PHP_OPENSSL_API_VERSION >= 0x10100 static inline int php_openssl_map_proto_version(int flag) /* {{{ */ { switch (flag) { @@ -1085,7 +1041,6 @@ static int php_openssl_get_max_proto_version(int flags) /* {{{ */ return php_openssl_map_proto_version(php_openssl_get_max_proto_version_flag(flags)); } /* }}} */ -#endif static int php_openssl_get_proto_version_flags(int flags, int min, int max) /* {{{ */ { @@ -1219,30 +1174,6 @@ static void php_openssl_init_server_reneg_limit(php_stream *stream, php_openssl_ } /* }}} */ -#if PHP_OPENSSL_API_VERSION < 0x10100 -static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength) -{ - BIGNUM *bn = NULL; - static RSA *rsa_tmp = NULL; - - if (!rsa_tmp && ((bn = BN_new()) == NULL)) { - php_error_docref(NULL, E_WARNING, "allocation error generating RSA key"); - } - if (!rsa_tmp && bn) { - if (!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) || - !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) { - if (rsa_tmp) { - RSA_free(rsa_tmp); - } - rsa_tmp = NULL; - } - BN_free(bn); - } - - return (rsa_tmp); -} -#endif - static zend_result php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* {{{ */ { zval *zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param"); @@ -1303,57 +1234,11 @@ static zend_result php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX } /* }}} */ -#if defined(HAVE_ECDH) && PHP_OPENSSL_API_VERSION < 0x10100 -static zend_result php_openssl_set_server_ecdh_curve(php_stream *stream, SSL_CTX *ctx) /* {{{ */ -{ - zval *zvcurve; - int curve_nid; - EC_KEY *ecdh; - - zvcurve = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "ecdh_curve"); - if (zvcurve == NULL) { - SSL_CTX_set_ecdh_auto(ctx, 1); - return SUCCESS; - } else { - if (!try_convert_to_string(zvcurve)) { - return FAILURE; - } - - curve_nid = OBJ_sn2nid(Z_STRVAL_P(zvcurve)); - if (curve_nid == NID_undef) { - php_error_docref(NULL, E_WARNING, "Invalid ecdh_curve specified"); - return FAILURE; - } - } - - ecdh = EC_KEY_new_by_curve_name(curve_nid); - if (ecdh == NULL) { - php_error_docref(NULL, E_WARNING, "Failed generating ECDH curve"); - return FAILURE; - } - - SSL_CTX_set_tmp_ecdh(ctx, ecdh); - EC_KEY_free(ecdh); - - return SUCCESS; -} -/* }}} */ -#endif - static zend_result php_openssl_set_server_specific_opts(php_stream *stream, SSL_CTX *ctx) /* {{{ */ { zval *zv; long ssl_ctx_options = SSL_CTX_get_options(ctx); -#if defined(HAVE_ECDH) && PHP_OPENSSL_API_VERSION < 0x10100 - if (php_openssl_set_server_ecdh_curve(stream, ctx) == FAILURE) { - return FAILURE; - } -#endif - -#if PHP_OPENSSL_API_VERSION < 0x10100 - SSL_CTX_set_tmp_rsa_callback(ctx, php_openssl_tmp_rsa_cb); -#endif /* We now use php_openssl_tmp_rsa_cb to generate a key of appropriate size whenever necessary */ if (php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "rsa_key_size") != NULL) { php_error_docref(NULL, E_WARNING, "rsa_key_size context option has been removed"); @@ -1690,11 +1575,7 @@ static zend_result php_openssl_setup_crypto(php_stream *stream, GET_VER_OPT_LONG("min_proto_version", min_version); GET_VER_OPT_LONG("max_proto_version", max_version); method_flags = php_openssl_get_proto_version_flags(method_flags, min_version, max_version); -#if PHP_OPENSSL_API_VERSION < 0x10100 - ssl_ctx_options = php_openssl_get_crypto_method_ctx_flags(method_flags); -#else ssl_ctx_options = SSL_OP_ALL; -#endif if (GET_VER_OPT("no_ticket") && zend_is_true(val)) { ssl_ctx_options |= SSL_OP_NO_TICKET; @@ -1780,10 +1661,8 @@ static zend_result php_openssl_setup_crypto(php_stream *stream, SSL_CTX_set_options(sslsock->ctx, ssl_ctx_options); -#if PHP_OPENSSL_API_VERSION >= 0x10100 SSL_CTX_set_min_proto_version(sslsock->ctx, php_openssl_get_min_proto_version(method_flags)); SSL_CTX_set_max_proto_version(sslsock->ctx, php_openssl_get_max_proto_version(method_flags)); -#endif if (sslsock->is_client == 0 && PHP_STREAM_CONTEXT(stream) &&