ext/openssl: Bump minimum required OpenSSL version to 1.1.1

Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1.

OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL

ext/openssl: Bump minimum required OpenSSL version to 1.1.1

Bumps the minimum required OpenSSL version from 1.0.2 to 1.1.1.

OpenSSL 1.1.1 is an LTS release, but has reached[^1] EOL from upstream. However, Linux distro/OS vendors
continue to ship OpenSSL 1.1.1, so 1.1.1 was picked as the minimum. The current minimum 1.0.2 reached
EOL in 2018.

Bumping the minimum required OpenSSL version makes it possible for ext-openssl to remove a bunch of
conditional code, and assume that TLS 1.3 (shipped with OpenSSL 1.1.1) will be supported everywhere.

- Debian buster: 1.1.1[^2]
- Ubuntu 20.04: 1.1.1[^3]
- CentOS/RHEL 7: 1.0.2
- RHEL 8/Rocky 8/EL 8: 1.1.1
- Fedora 38: 3.0.9 (`openssl11` provides OpenSSL 1.1 as well)

RHEL/CentOS 7 reaches EOL mid 2024, so for PHP 8.4 scheduled towards the end of this year, we can safely
bump the minimum OpenSSL version.

[^1]: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html
[^2]: https://packages.debian.org/buster/libssl-dev
[^3]: https://packages.ubuntu.com/focal/libssl-dev

show more ...

ext/openssl: fix libressl build.

Close GH-12919

Introduce new serial_hex parameter to openssl_csr_sign

Co-authored-by: Florian Sowade <f.sowade@suora.com>

Closes GH-13023
Closes GH-9851

Implement request #48520: openssl_csr_new should allow multiple values/fields in dn

Closes GH-12984

Fix bug #80269: OpenSSL sets Subject wrong with extraattribs parameter

Closes GH-12979

Fix GH-12987: openssl_csr_sign might leak new cert on error

Closes GH-12988

Fix #50713: openssl_pkcs7_verify() may ignore untrusted CAs

Closes GH-12499

Fix GH-12489: Missing sigbio creation checking in openssl_cms_verify

Closes GH-12490

Improve openssl ext to generate EC keys with custom EC parameters

This change extends supported parameter when generating EC keys.

Specifically following parameters are now supporte

Improve openssl ext to generate EC keys with custom EC parameters

This change extends supported parameter when generating EC keys.

Specifically following parameters are now supported: p, a, b, order,
generator, seed, cofactory, g_x, g_y, x, y and d.

Those parameters can be passed to ec field in openssl_pkey_new options.

It also fixes some issues openssl_pkey_get_details related to SM2
support.

Closes GH-9991

show more ...

Fix GH-11054: Reset OpenSSL errors when using a PEM public key

The error happens when the PEM contains a public key, as it will be
first tried to be parsed as a certificate. The parsing

Fix GH-11054: Reset OpenSSL errors when using a PEM public key

The error happens when the PEM contains a public key, as it will be
first tried to be parsed as a certificate. The parsing as a certificate
fails, which then leads to a corresponding error tracked by PHP with
the next call to php_openssl_store_errors().

This change introduces an error marking to be able to reset the stored
errors to the state before trying the certificate.

Closes GH-11055

show more ...

Add missing error check on PEM_write_bio_PKCS7()

Closes GH-10752.

Add missing error check on PEM_write_bio_CMS()

On failure, this function returns 0. 2 other callers of this function
already check the return value, but this one was missed.

Add missing error check on i2d_PKCS12_bio()

This function returns 0 on error and 1 on success. The error case was
not checked and the function therefore would've returned true.
The o

Add missing error check on i2d_PKCS12_bio()

This function returns 0 on error and 1 on success. The error case was
not checked and the function therefore would've returned true.
The only other caller of i2d_PKCS12_bio() in the file has
a correct error check.

Closes GH-10761.

show more ...

Fix GCC 12 compiler warnings (#10713)

* Fix -Wunused-but-set-variable compiler warning in ext/mysqli

* Fix -Wstrict-prototypes compiler warning in ext/mysqlnd

* Fix -Wstric

Fix GCC 12 compiler warnings (#10713)

* Fix -Wunused-but-set-variable compiler warning in ext/mysqli

* Fix -Wstrict-prototypes compiler warning in ext/mysqlnd

* Fix -Wstrict-prototypes compiler warning in ext/soap

* Fix -Wunused-but-set-variable compiler warning in ext/exif

However, this code looks really sketchy...

* Fix -Wstrict-prototypes compiler warning in ext/openssl

* Fix -Wstrict-prototypes compiler warning in ext/dba

Add void to our bundled libraries

* Refactor bundled BCMath library

Fix -Wdeprecated-non-prototype compiler warnings
Use bool instead of char/int
Cleanup some useless header includes

show more ...

Use zend_result where appropriate in ext/openssl
Remove dead code

s is always NULL, so the check is always false.

Closes GH-10704.

Revert "Merge branch 'PHP-8.0' into PHP-8.1"

This reverts commit 0116864cd312f9756f38a0ee0f83bb302a7e367b, reversing
changes made to 1f715f5658f5909a9346f56812fa605744d23880.

Revert "Make build work with newer OpenSSL"

This reverts commit 5f90134bb69a345c7edb5013e6461e84caa32dbc.

Make build work with newer OpenSSL

Fix GH-10000: Test failures when OpenSSL compiled with no-dsa

Fix GH-9064: PHP fails to build if openssl was built with no-ec

Fix GH-9997: OpenSSL engine clean up segfault

Fix OpenSSL conflicting merge for compilation issue with old digests

Fix GH-8430: OpenSSL compiled with old disgests does not build

Specifically no-md2, no-md4 or no-rmd160 were not supported

Clean up OpenSSL engine list when OpenSSL 1.0.2 used

Attempt to fix GH-8620.

Revert "Port all internally used classes to use default_object_handlers"

This reverts commit 94ee4f9834743ca74f6c9653863273277ce6c61a.

The commit was a bit too late to be included i

Revert "Port all internally used classes to use default_object_handlers"

This reverts commit 94ee4f9834743ca74f6c9653863273277ce6c61a.

The commit was a bit too late to be included in PHP 8.2 RC1. Given it's a massive ABI break, we decide to postpone the change to PHP 8.3.

show more ...