Mirror/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2025-07-15 20:25:17 +03:00
Code Issues Wiki Activity
aports/testing/php7/openssl3.patch
Andy Postnikov 856c519719 testing/php7: security upgrade to 7.4.32 
- CVE-2022-31628
- CVE-2022-31629

Also start using openssl3
2022-09-29 13:58:41 +00:00

197 lines
8 KiB
Diff
Raw Blame History

From a7df3564004807b812f189048463d8ad89fb0f21 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 18 May 2021 07:58:49 +0200
Subject: [PATCH] minimal fix for openssl 3.0
---
ext/openssl/openssl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 340e40a001bb..0ed4233b2125 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1221,7 +1221,9 @@ PHP_MINIT_FUNCTION(openssl)
REGISTER_LONG_CONSTANT("OPENSSL_CMS_NOSIGS", CMS_NOSIGS, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_PADDING", RSA_PKCS1_PADDING, CONST_CS|CONST_PERSISTENT);
+#ifdef RSA_SSLV23_PADDING
REGISTER_LONG_CONSTANT("OPENSSL_SSLV23_PADDING", RSA_SSLV23_PADDING, CONST_CS|CONST_PERSISTENT);
+#endif
REGISTER_LONG_CONSTANT("OPENSSL_NO_PADDING", RSA_NO_PADDING, CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING, CONST_CS|CONST_PERSISTENT);
From 1887f2274cf7b2e19daf911df76313286ded6381 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 3 Aug 2021 17:19:24 +0200
Subject: [PATCH] Use OpenSSL NCONF APIs
---
ext/openssl/openssl.c | 66 +++++++++++++++++++++++--------------------
1 file changed, 36 insertions(+), 30 deletions(-)
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 9f5018d2fd75..8589fbaac164 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -487,8 +487,8 @@ int php_openssl_get_ssl_stream_data_index(void)
static char default_ssl_conf_filename[MAXPATHLEN];
struct php_x509_request { /* {{{ */
- LHASH_OF(CONF_VALUE) * global_config; /* Global SSL config */
- LHASH_OF(CONF_VALUE) * req_config; /* SSL config for this request */
+ CONF *global_config; /* Global SSL config */
+ CONF *req_config; /* SSL config for this request */
const EVP_MD * md_alg;
const EVP_MD * digest;
char * section_name,
@@ -700,13 +700,13 @@ static time_t php_openssl_asn1_time_to_time_t(ASN1_UTCTIME * timestr) /* {{{ */
}
/* }}} */
-static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, LHASH_OF(CONF_VALUE) * config) /* {{{ */
+static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, CONF *config) /* {{{ */
{
X509V3_CTX ctx;
X509V3_set_ctx_test(&ctx);
- X509V3_set_conf_lhash(&ctx, config);
- if (!X509V3_EXT_add_conf(config, &ctx, (char *)section, NULL)) {
+ X509V3_set_nconf(&ctx, config);
+ if (!X509V3_EXT_add_nconf(config, &ctx, (char *)section, NULL)) {
php_openssl_store_errors();
php_error_docref(NULL, E_WARNING, "Error loading %s section %s of %s",
section_label,
@@ -718,17 +718,24 @@ static inline int php_openssl_config_check_syntax(const char * section_label, co
}
/* }}} */
-static char *php_openssl_conf_get_string(
- LHASH_OF(CONF_VALUE) *conf, const char *group, const char *name) {
- char *str = CONF_get_string(conf, group, name);
- if (str == NULL) {
- /* OpenSSL reports an error if a configuration value is not found.
- * However, we don't want to generate errors for optional configuration. */
- ERR_clear_error();
- }
+static char *php_openssl_conf_get_string(CONF *conf, const char *group, const char *name) {
+ /* OpenSSL reports an error if a configuration value is not found.
+ * However, we don't want to generate errors for optional configuration. */
+ ERR_set_mark();
+ char *str = NCONF_get_string(conf, group, name);
+ ERR_pop_to_mark();
return str;
}
+static long php_openssl_conf_get_number(CONF *conf, const char *group, const char *name) {
+ /* Same here, ignore errors. */
+ long res = 0;
+ ERR_set_mark();
+ NCONF_get_number(conf, group, name, &res);
+ ERR_pop_to_mark();
+ return res;
+}
+
static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */
{
char * str;
@@ -740,7 +747,7 @@ static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */
if (str == NULL) {
return SUCCESS;
}
- sktmp = CONF_get_section(req->req_config, str);
+ sktmp = NCONF_get_section(req->req_config, str);
if (sktmp == NULL) {
php_openssl_store_errors();
php_error_docref(NULL, E_WARNING, "Problem loading oid section %s", str);
@@ -811,13 +818,13 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option
SET_OPTIONAL_STRING_ARG("config", req->config_filename, default_ssl_conf_filename);
SET_OPTIONAL_STRING_ARG("config_section_name", req->section_name, "req");
- req->global_config = CONF_load(NULL, default_ssl_conf_filename, NULL);
- if (req->global_config == NULL) {
+ req->global_config = NCONF_new(NULL);
+ if (!NCONF_load(req->global_config, default_ssl_conf_filename, NULL)) {
php_openssl_store_errors();
}
- req->req_config = CONF_load(NULL, req->config_filename, NULL);
- if (req->req_config == NULL) {
- php_openssl_store_errors();
+
+ req->req_config = NCONF_new(NULL);
+ if (!NCONF_load(req->req_config, req->config_filename, NULL)) {
return FAILURE;
}
@@ -841,8 +848,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option
SET_OPTIONAL_STRING_ARG("req_extensions", req->request_extensions_section,
php_openssl_conf_get_string(req->req_config, req->section_name, "req_extensions"));
SET_OPTIONAL_LONG_ARG("private_key_bits", req->priv_key_bits,
- CONF_get_number(req->req_config, req->section_name, "default_bits"));
-
+ php_openssl_conf_get_number(req->req_config, req->section_name, "default_bits"));
SET_OPTIONAL_LONG_ARG("private_key_type", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT);
if (optional_args && (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key")-1)) != NULL) {
@@ -922,11 +928,11 @@ static void php_openssl_dispose_config(struct php_x509_request * req) /* {{{ */
req->priv_key = NULL;
}
if (req->global_config) {
- CONF_free(req->global_config);
+ NCONF_free(req->global_config);
req->global_config = NULL;
}
if (req->req_config) {
- CONF_free(req->req_config);
+ NCONF_free(req->req_config);
req->req_config = NULL;
}
}
@@ -2808,12 +2814,12 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z
STACK_OF(CONF_VALUE) * dn_sk, *attr_sk = NULL;
char * str, *dn_sect, *attr_sect;
- dn_sect = CONF_get_string(req->req_config, req->section_name, "distinguished_name");
+ dn_sect = NCONF_get_string(req->req_config, req->section_name, "distinguished_name");
if (dn_sect == NULL) {
php_openssl_store_errors();
return FAILURE;
}
- dn_sk = CONF_get_section(req->req_config, dn_sect);
+ dn_sk = NCONF_get_section(req->req_config, dn_sect);
if (dn_sk == NULL) {
php_openssl_store_errors();
return FAILURE;
@@ -2822,7 +2828,7 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z
if (attr_sect == NULL) {
attr_sk = NULL;
} else {
- attr_sk = CONF_get_section(req->req_config, attr_sect);
+ attr_sk = NCONF_get_section(req->req_config, attr_sect);
if (attr_sk == NULL) {
php_openssl_store_errors();
return FAILURE;
@@ -3239,8 +3245,8 @@ PHP_FUNCTION(openssl_csr_sign)
X509V3_CTX ctx;
X509V3_set_ctx(&ctx, cert, new_cert, csr, NULL, 0);
- X509V3_set_conf_lhash(&ctx, req.req_config);
- if (!X509V3_EXT_add_conf(req.req_config, &ctx, req.extensions_section, new_cert)) {
+ X509V3_set_nconf(&ctx, req.req_config);
+ if (!X509V3_EXT_add_nconf(req.req_config, &ctx, req.extensions_section, new_cert)) {
php_openssl_store_errors();
goto cleanup;
}
@@ -3313,10 +3319,10 @@ PHP_FUNCTION(openssl_csr_new)
X509V3_CTX ext_ctx;
X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, 0);
- X509V3_set_conf_lhash(&ext_ctx, req.req_config);
+ X509V3_set_nconf(&ext_ctx, req.req_config);
/* Add extensions */
- if (req.request_extensions_section && !X509V3_EXT_REQ_add_conf(req.req_config,
+ if (req.request_extensions_section && !X509V3_EXT_REQ_add_nconf(req.req_config,
&ext_ctx, req.request_extensions_section, csr))
{
php_openssl_store_errors();
Reference in a new issue View git blame Copy permalink