diff --git a/.circleci/config.yml b/.circleci/config.yml index a315f3342dad6..16ae9ac39b50f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -53,8 +53,6 @@ jobs: libsqlite3-dev \ libwebp-dev \ libonig-dev \ - libkrb5-dev \ - libgssapi-krb5-2 \ libcurl4-openssl-dev \ libxml2-dev \ libxslt1-dev \ @@ -128,7 +126,6 @@ jobs: --enable-calendar \ --enable-ftp \ --with-enchant=/usr \ - --with-kerberos \ --enable-sysvmsg \ --with-ffi \ --enable-zend-test \ diff --git a/.cirrus.yml b/.cirrus.yml index 55632482a71fc..795f9855c7da8 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -11,10 +11,10 @@ freebsd_task: #- sed -i -e 's/quarterly/latest/g' /etc/pkg/FreeBSD.conf #- pkg upgrade -y - kldload accf_http - - pkg install -y autoconf bison gmake re2c icu libiconv png freetype2 enchant2 bzip2 krb5 t1lib gmp tidyp libsodium libzip libxml2 libxslt openssl oniguruma pkgconf webp libavif + - pkg install -y autoconf bison gmake re2c icu libiconv png freetype2 enchant2 bzip2 t1lib gmp tidyp libsodium libzip libxml2 libxslt openssl oniguruma pkgconf webp libavif script: - ./buildconf -f - - ./configure --prefix=/usr/local --enable-debug --enable-option-checking=fatal --enable-fpm --with-pdo-sqlite --without-pear --with-bz2 --with-avif --with-jpeg --with-webp --with-freetype --enable-gd --enable-exif --with-zip --with-zlib --enable-soap --enable-xmlreader --with-xsl --with-libxml --enable-shmop --enable-pcntl --enable-mbstring --with-curl --enable-sockets --with-openssl --with-iconv=/usr/local --enable-bcmath --enable-calendar --enable-ftp --with-kerberos --with-ffi --enable-zend-test --enable-dl-test=shared --enable-intl --with-mhash --with-sodium --enable-werror --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d + - ./configure --prefix=/usr/local --enable-debug --enable-option-checking=fatal --enable-fpm --with-pdo-sqlite --without-pear --with-bz2 --with-avif --with-jpeg --with-webp --with-freetype --enable-gd --enable-exif --with-zip --with-zlib --enable-soap --enable-xmlreader --with-xsl --with-libxml --enable-shmop --enable-pcntl --enable-mbstring --with-curl --enable-sockets --with-openssl --with-iconv=/usr/local --enable-bcmath --enable-calendar --enable-ftp --with-ffi --enable-zend-test --enable-dl-test=shared --enable-intl --with-mhash --with-sodium --enable-werror --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d - gmake -j2 - mkdir /etc/php.d - gmake install diff --git a/.github/actions/apt-x32/action.yml b/.github/actions/apt-x32/action.yml index dbb50d425efd0..0638881d1e4c2 100644 --- a/.github/actions/apt-x32/action.yml +++ b/.github/actions/apt-x32/action.yml @@ -23,10 +23,8 @@ runs: libffi-dev:i386 \ libfreetype6-dev:i386 \ libgmp-dev:i386 \ - libgssapi-krb5-2:i386 \ libicu-dev:i386 \ libjpeg-dev:i386 \ - libkrb5-dev:i386 \ libonig-dev:i386 \ libpng-dev:i386 \ libpq-dev:i386 \ diff --git a/.github/actions/apt-x64/action.yml b/.github/actions/apt-x64/action.yml index 1a45bcc39d3ed..7cb5dd86f5373 100644 --- a/.github/actions/apt-x64/action.yml +++ b/.github/actions/apt-x64/action.yml @@ -39,8 +39,6 @@ runs: libsqlite3-dev \ libwebp-dev \ libonig-dev \ - libkrb5-dev \ - libgssapi-krb5-2 \ libcurl4-openssl-dev \ libxml2-dev \ libxslt1-dev \ diff --git a/.github/actions/brew/action.yml b/.github/actions/brew/action.yml index 567929d0306dc..e481a8e0ffab6 100644 --- a/.github/actions/brew/action.yml +++ b/.github/actions/brew/action.yml @@ -13,7 +13,6 @@ runs: brew install \ openssl@1.1 \ curl \ - krb5 \ bzip2 \ enchant \ libffi \ diff --git a/.github/actions/configure-macos/action.yml b/.github/actions/configure-macos/action.yml index cda8e7fbac8f4..ab92dfb2d782f 100644 --- a/.github/actions/configure-macos/action.yml +++ b/.github/actions/configure-macos/action.yml @@ -13,7 +13,6 @@ runs: export PATH="$BREW_OPT/bison/bin:$PATH" export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$BREW_OPT/openssl@1.1/lib/pkgconfig" export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$BREW_OPT/curl/lib/pkgconfig" - export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$BREW_OPT/krb5/lib/pkgconfig" export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$BREW_OPT/libffi/lib/pkgconfig" export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$BREW_OPT/libxml2/lib/pkgconfig" export PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$BREW_OPT/libxslt/lib/pkgconfig" @@ -58,7 +57,6 @@ runs: --enable-bcmath \ --enable-calendar \ --enable-ftp \ - --with-kerberos \ --enable-sysvmsg \ --with-ffi \ --enable-zend-test \ diff --git a/.github/actions/configure-x32/action.yml b/.github/actions/configure-x32/action.yml index 0d4cd30e669ef..c07c49bb2c4f1 100644 --- a/.github/actions/configure-x32/action.yml +++ b/.github/actions/configure-x32/action.yml @@ -54,7 +54,6 @@ runs: --enable-bcmath \ --enable-calendar \ --enable-ftp \ - --with-kerberos \ --enable-sysvmsg \ --with-ffi \ --enable-zend-test \ diff --git a/.github/actions/configure-x64/action.yml b/.github/actions/configure-x64/action.yml index 95cf656fa7067..38dce5ef8fad8 100644 --- a/.github/actions/configure-x64/action.yml +++ b/.github/actions/configure-x64/action.yml @@ -53,7 +53,6 @@ runs: --enable-calendar \ --enable-ftp \ ${{ inputs.skipSlow == 'false' && '--with-enchant=/usr' || '' }} \ - --with-kerberos \ --enable-sysvmsg \ --with-ffi \ --enable-zend-test \ diff --git a/.travis.yml b/.travis.yml index a94afb4e9ef1a..fd18307662acc 100644 --- a/.travis.yml +++ b/.travis.yml @@ -19,7 +19,6 @@ addons: - libgmp-dev - libicu-dev - libjpeg-dev - - libkrb5-dev - libonig-dev - libpng-dev - libpq-dev diff --git a/NEWS b/NEWS index e23921cba6fd6..d9f3b31ffbb77 100644 --- a/NEWS +++ b/NEWS @@ -94,6 +94,7 @@ PHP NEWS Florian Sowade) . Added X509_PURPOSE_OCSP_HELPER and X509_PURPOSE_TIMESTAMP_SIGN constants. (Vincent Jardin) + . Bumped minimum required OpenSSL version to 1.1.1. (Ayesh Karunaratne) - Output: . Clear output handler status flags during handler initialization. (haszi) diff --git a/UPGRADING b/UPGRADING index e5c41413e609e..98b4aceb818ae 100644 --- a/UPGRADING +++ b/UPGRADING @@ -463,6 +463,9 @@ PHP 8.4 UPGRADE NOTES - Intl: . The class constants are typed now. +- Intl: + . The OpenSSL extension now requires at least OpenSSL 1.1.1. + - PDO: . The class constants are typed now. diff --git a/UPGRADING.INTERNALS b/UPGRADING.INTERNALS index 217d86809ad46..a24dc97c48f89 100644 --- a/UPGRADING.INTERNALS +++ b/UPGRADING.INTERNALS @@ -96,6 +96,7 @@ PHP 8.4 INTERNALS UPGRADE NOTES - The configure option --with-imap-ssl has been removed. - The configure option --with-oci8 has been removed. - The configure option --with-zlib-dir has been removed. + - The configure option --with-kerberos has been removed. - COOKIE_IO_FUNCTIONS_T symbol has been removed (use cookie_io_functions_t). - HAVE_SOCKADDR_UN_SUN_LEN symbol renamed to HAVE_STRUCT_SOCKADDR_UN_SUN_LEN. - HAVE_UTSNAME_DOMAINNAME symbol renamed to HAVE_STRUCT_UTSNAME_DOMAINNAME. diff --git a/build/php.m4 b/build/php.m4 index 8be1d81b5beaf..9ce6a6cf09f4a 100644 --- a/build/php.m4 +++ b/build/php.m4 @@ -1817,7 +1817,7 @@ dnl AC_DEFUN([PHP_SETUP_OPENSSL],[ found_openssl=no - PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.0.2], [found_openssl=yes]) + PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.1.1], [found_openssl=yes]) if test "$found_openssl" = "yes"; then PHP_EVAL_LIBLINE($OPENSSL_LIBS, $1) diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c index 5c3c4b301c598..1d82cf43e0677 100644 --- a/ext/ftp/ftp.c +++ b/ext/ftp/ftp.c @@ -293,9 +293,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const size_t user_len, const char *pa return 0; } -#if OPENSSL_VERSION_NUMBER >= 0x0090605fL ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; -#endif SSL_CTX_set_options(ctx, ssl_ctx_options); /* Allow SSL to re-use sessions. diff --git a/ext/ftp/php_ftp.c b/ext/ftp/php_ftp.c index 8c6c2e900177c..2f0f2b0d64198 100644 --- a/ext/ftp/php_ftp.c +++ b/ext/ftp/php_ftp.c @@ -99,15 +99,13 @@ static void ftp_object_destroy(zend_object *zobj) { PHP_MINIT_FUNCTION(ftp) { -#ifdef HAVE_FTP_SSL -#if OPENSSL_VERSION_NUMBER < 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER) +#if defined(HAVE_FTP_SSL) && !defined(LIBRESSL_VERSION_NUMBER) SSL_library_init(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); OpenSSL_add_all_algorithms(); SSL_load_error_strings(); -#endif #endif php_ftp_ce = register_class_FTP_Connection(); diff --git a/ext/openssl/config0.m4 b/ext/openssl/config0.m4 index ffd4e0751cc6b..1861a09ca5496 100644 --- a/ext/openssl/config0.m4 +++ b/ext/openssl/config0.m4 @@ -1,14 +1,7 @@ PHP_ARG_WITH([openssl], [for OpenSSL support], [AS_HELP_STRING([--with-openssl], - [Include OpenSSL support (requires OpenSSL >= 1.0.2)])]) - -PHP_ARG_WITH([kerberos], - [for Kerberos support], - [AS_HELP_STRING([--with-kerberos], - [OPENSSL: Include Kerberos support])], - [no], - [no]) + [Include OpenSSL support (requires OpenSSL >= 1.1.1)])]) PHP_ARG_WITH([system-ciphers], [whether to use system default cipher list instead of hardcoded value], @@ -20,14 +13,6 @@ PHP_ARG_WITH([system-ciphers], if test "$PHP_OPENSSL" != "no"; then PHP_NEW_EXTENSION(openssl, openssl.c xp_ssl.c, $ext_shared) PHP_SUBST(OPENSSL_SHARED_LIBADD) - - if test "$PHP_KERBEROS" != "no"; then - PKG_CHECK_MODULES([KERBEROS], [krb5-gssapi krb5]) - - PHP_EVAL_INCLINE($KERBEROS_CFLAGS) - PHP_EVAL_LIBLINE($KERBEROS_LIBS, OPENSSL_SHARED_LIBADD) - fi - PHP_SETUP_OPENSSL(OPENSSL_SHARED_LIBADD, [ AC_DEFINE(HAVE_OPENSSL_EXT,1,[ ]) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 1506e6fef45dc..949f5d76245e8 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -61,7 +61,7 @@ #include #endif -#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && !defined(OPENSSL_NO_ENGINE) +#if defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_ENGINE) #include #endif @@ -99,7 +99,7 @@ #define HAVE_EVP_PKEY_EC 1 /* the OPENSSL_EC_EXPLICIT_CURVE value was added - * in OpenSSL 1.1.0; previous versions should + * in OpenSSL 1.1.0; previous versions should * use 0 instead. */ #ifndef OPENSSL_EC_EXPLICIT_CURVE @@ -1269,7 +1269,7 @@ PHP_MINIT_FUNCTION(openssl) php_openssl_pkey_object_handlers.clone_obj = NULL; php_openssl_pkey_object_handlers.compare = zend_objects_not_comparable; -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER) +#ifdef LIBRESSL_VERSION_NUMBER OPENSSL_config(NULL); SSL_library_init(); OpenSSL_add_all_ciphers(); @@ -1309,9 +1309,7 @@ PHP_MINIT_FUNCTION(openssl) php_stream_xport_register("tlsv1.0", php_openssl_ssl_socket_factory); php_stream_xport_register("tlsv1.1", php_openssl_ssl_socket_factory); php_stream_xport_register("tlsv1.2", php_openssl_ssl_socket_factory); -#if OPENSSL_VERSION_NUMBER >= 0x10101000 php_stream_xport_register("tlsv1.3", php_openssl_ssl_socket_factory); -#endif /* override the default tcp socket provider */ php_stream_xport_register("tcp", php_openssl_ssl_socket_factory); @@ -1364,7 +1362,7 @@ PHP_MINFO_FUNCTION(openssl) /* {{{ PHP_MSHUTDOWN_FUNCTION */ PHP_MSHUTDOWN_FUNCTION(openssl) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER) +#ifdef LIBRESSL_VERSION_NUMBER EVP_cleanup(); /* prevent accessing locking callback from unloaded extension */ @@ -1391,9 +1389,7 @@ PHP_MSHUTDOWN_FUNCTION(openssl) php_stream_xport_unregister("tlsv1.0"); php_stream_xport_unregister("tlsv1.1"); php_stream_xport_unregister("tlsv1.2"); -#if OPENSSL_VERSION_NUMBER >= 0x10101000 php_stream_xport_unregister("tlsv1.3"); -#endif /* reinstate the default tcp handler */ php_stream_xport_register("tcp", php_stream_generic_socket_factory); @@ -4609,7 +4605,7 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { EVP_PKEY_CTX_free(ctx); ctx = EVP_PKEY_CTX_new(param_key, NULL); } - + if (EVP_PKEY_check(ctx) || EVP_PKEY_public_check_quick(ctx)) { *is_private = d != NULL; EVP_PKEY_up_ref(param_key); diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h index 304854b4bf91d..3cf83b3d02bde 100644 --- a/ext/openssl/php_openssl.h +++ b/ext/openssl/php_openssl.h @@ -26,7 +26,7 @@ extern zend_module_entry openssl_module_entry; #define PHP_OPENSSL_VERSION PHP_VERSION #include -#if defined(LIBRESSL_VERSION_NUMBER) +#ifdef LIBRESSL_VERSION_NUMBER /* LibreSSL version check */ #if LIBRESSL_VERSION_NUMBER < 0x20700000L #define PHP_OPENSSL_API_VERSION 0x10001 @@ -35,9 +35,7 @@ extern zend_module_entry openssl_module_entry; #endif #else /* OpenSSL version check */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L -#define PHP_OPENSSL_API_VERSION 0x10002 -#elif OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L #define PHP_OPENSSL_API_VERSION 0x10100 #else #define PHP_OPENSSL_API_VERSION 0x30000 diff --git a/ext/openssl/tests/bug80747.phpt b/ext/openssl/tests/bug80747.phpt index b21fc4d9dcda3..2f6c654c9362c 100644 --- a/ext/openssl/tests/bug80747.phpt +++ b/ext/openssl/tests/bug80747.phpt @@ -2,10 +2,6 @@ Bug #80747: Providing RSA key size < 512 generates key that crash PHP --EXTENSIONS-- openssl ---SKIPIF-- -= v1.1.0 required"); -?> --FILE-- = 0x10101000; -$err_pem_no_start_line = $is_111 ? '0909006C': '0906D06C'; +$err_pem_no_start_line = '0909006C'; // PKEY echo "PKEY errors\n"; diff --git a/ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt b/ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt index f0560bd186cdc..7c06881c9be78 100644 --- a/ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt +++ b/ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt @@ -4,9 +4,6 @@ int openssl_x509_checkpurpose ( mixed $x509cert , int $purpose [, array $cainfo marcosptf - --EXTENSIONS-- openssl ---SKIPIF-- - --FILE-- --FILE-- --FILE-- = v1.1.0 required"); if (!function_exists("proc_open")) die("skip no proc_open"); ?> --FILE-- diff --git a/ext/openssl/tests/tls_wrapper.phpt b/ext/openssl/tests/tls_wrapper.phpt index 2220fbc0ac1da..7e3d1121d6759 100644 --- a/ext/openssl/tests/tls_wrapper.phpt +++ b/ext/openssl/tests/tls_wrapper.phpt @@ -5,7 +5,6 @@ openssl --SKIPIF-- --FILE-- --FILE-- --FILE-- = 0x10101000 && !defined(OPENSSL_NO_TLS1_3) +#ifndef OPENSSL_NO_TLS1_3 #define HAVE_TLS13 1 #endif @@ -89,7 +89,7 @@ #define HAVE_TLS_ALPN 1 #endif -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +#ifndef LIBRESSL_VERSION_NUMBER #define HAVE_SEC_LEVEL 1 #endif @@ -676,11 +676,7 @@ static int php_openssl_win_cert_verify_callback(X509_STORE_CTX *x509_store_ctx, { PCCERT_CONTEXT cert_ctx = NULL; PCCERT_CHAIN_CONTEXT cert_chain_ctx = NULL; -#if OPENSSL_VERSION_NUMBER < 0x10100000L - X509 *cert = x509_store_ctx->cert; -#else X509 *cert = X509_STORE_CTX_get0_cert(x509_store_ctx); -#endif php_stream *stream; php_openssl_netstream_data_t *sslsock; diff --git a/php.ini-development b/php.ini-development index 730a400ec9402..2ce934f811932 100644 --- a/php.ini-development +++ b/php.ini-development @@ -928,12 +928,6 @@ default_socket_timeout = 60 ; Be sure to appropriately set the extension_dir directive. ; ;extension=bz2 - -; The ldap extension must be before curl if OpenSSL 1.0.2 and OpenLDAP is used -; otherwise it results in segfault when unloading after using SASL. -; See https://github.com/php/php-src/issues/8620 for more info. -;extension=ldap - ;extension=curl ;extension=ffi ;extension=ftp @@ -942,6 +936,7 @@ default_socket_timeout = 60 ;extension=gettext ;extension=gmp ;extension=intl +;extension=ldap ;extension=mbstring ;extension=exif ; Must be after mbstring as it depends on it ;extension=mysqli diff --git a/php.ini-production b/php.ini-production index 56b0905f2e090..43d24fc372087 100644 --- a/php.ini-production +++ b/php.ini-production @@ -930,12 +930,6 @@ default_socket_timeout = 60 ; Be sure to appropriately set the extension_dir directive. ; ;extension=bz2 - -; The ldap extension must be before curl if OpenSSL 1.0.2 and OpenLDAP is used -; otherwise it results in segfault when unloading after using SASL. -; See https://github.com/php/php-src/issues/8620 for more info. -;extension=ldap - ;extension=curl ;extension=ffi ;extension=ftp @@ -944,6 +938,7 @@ default_socket_timeout = 60 ;extension=gettext ;extension=gmp ;extension=intl +;extension=ldap ;extension=mbstring ;extension=exif ; Must be after mbstring as it depends on it ;extension=mysqli diff --git a/travis/compile.sh b/travis/compile.sh index be1483f152196..bab44d30ad1c7 100755 --- a/travis/compile.sh +++ b/travis/compile.sh @@ -61,7 +61,6 @@ $S390X_CONFIG \ --enable-calendar \ --enable-ftp \ --with-enchant=/usr \ ---with-kerberos \ --enable-sysvmsg \ --with-ffi \ --with-sodium \