Make further OpenSSL 1.0.2 clean up

Closes GH-18133

ext/openssl/openssl.c

@@ -3975,20 +3975,11 @@ PHP_FUNCTION(openssl_sign)
 
 	md_ctx = EVP_MD_CTX_create();
 	size_t siglen;
-#if PHP_OPENSSL_API_VERSION >= 0x10100
 	if (md_ctx != NULL &&
 			EVP_DigestSignInit(md_ctx, NULL, mdtype, NULL, pkey) &&
 			EVP_DigestSign(md_ctx, NULL, &siglen, (unsigned char*)data, data_len) &&
 			(sigbuf = zend_string_alloc(siglen, 0)) != NULL &&
 			EVP_DigestSign(md_ctx, (unsigned char*)ZSTR_VAL(sigbuf), &siglen, (unsigned char*)data, data_len)) {
-#else
-	if (md_ctx != NULL &&
-			EVP_SignInit(md_ctx, mdtype) &&
-			EVP_SignUpdate(md_ctx, data, data_len) &&
-			(siglen = EVP_PKEY_size(pkey)) &&
-			(sigbuf = zend_string_alloc(siglen, 0)) != NULL &&
-			EVP_SignFinal(md_ctx, (unsigned char*)ZSTR_VAL(sigbuf), (unsigned int*)&siglen, pkey)) {
-#endif
 		ZSTR_VAL(sigbuf)[siglen] = '\0';
 		ZSTR_LEN(sigbuf) = siglen;
 		ZEND_TRY_ASSIGN_REF_NEW_STR(signature, sigbuf);
@@ -4049,14 +4040,8 @@ PHP_FUNCTION(openssl_verify)
 
 	md_ctx = EVP_MD_CTX_create();
 	if (md_ctx == NULL ||
-#if PHP_OPENSSL_API_VERSION >= 0x10100
 			!EVP_DigestVerifyInit(md_ctx, NULL, mdtype, NULL, pkey) ||
 			(err = EVP_DigestVerify(md_ctx, (unsigned char *)signature, signature_len, (unsigned char*)data, data_len)) < 0) {
-#else
-			!EVP_VerifyInit (md_ctx, mdtype) ||
-			!EVP_VerifyUpdate (md_ctx, data, data_len) ||
-			(err = EVP_VerifyFinal(md_ctx, (unsigned char *)signature, (unsigned int)signature_len, pkey)) < 0) {
-#endif
 		php_openssl_store_errors();
 	}
 	EVP_MD_CTX_destroy(md_ctx);

ext/openssl/openssl.stub.php

@@ -86,14 +86,6 @@ const OPENSSL_ALGO_MD4 = UNKNOWN;
  */
 const OPENSSL_ALGO_MD2 = UNKNOWN;
 #endif
-#if PHP_OPENSSL_API_VERSION < 0x10100
-/**
- * @var int
- * @cvalue OPENSSL_ALGO_DSS1
- */
-const OPENSSL_ALGO_DSS1 = UNKNOWN;
-#endif
-
 /**
  * @var int
  * @cvalue OPENSSL_ALGO_SHA224

ext/openssl/openssl_arginfo.h

@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 32bd0ec5db046bfe3bba8a5d3fe1c0c51ff89e00 */
+ * Stub hash: a42bd7dec0a5e011983ce08b5e31cd8718247501 */
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_x509_export_to_file, 0, 2, _IS_BOOL, 0)
 	ZEND_ARG_OBJ_TYPE_MASK(0, certificate, OpenSSLCertificate, MAY_BE_STRING, NULL)
@@ -564,9 +564,6 @@ static void register_openssl_symbols(int module_number)
 #endif
 #if !defined(OPENSSL_NO_MD2)
 	REGISTER_LONG_CONSTANT("OPENSSL_ALGO_MD2", OPENSSL_ALGO_MD2, CONST_PERSISTENT);
-#endif
-#if PHP_OPENSSL_API_VERSION < 0x10100
-	REGISTER_LONG_CONSTANT("OPENSSL_ALGO_DSS1", OPENSSL_ALGO_DSS1, CONST_PERSISTENT);
 #endif
 	REGISTER_LONG_CONSTANT("OPENSSL_ALGO_SHA224", OPENSSL_ALGO_SHA224, CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("OPENSSL_ALGO_SHA256", OPENSSL_ALGO_SHA256, CONST_PERSISTENT);

ext/openssl/openssl_backend_common.c

@@ -461,7 +461,6 @@ zend_result php_openssl_write_rand_file(const char * file, int egdsocket, int se
 	if (file == NULL) {
 		file = RAND_file_name(buffer, sizeof(buffer));
 	}
-	PHP_OPENSSL_RAND_ADD_TIME();
 	if (file == NULL || !RAND_write_file(file)) {
 		php_openssl_store_errors();
 		php_error_docref(NULL, E_WARNING, "Unable to write random state");
@@ -489,11 +488,6 @@ EVP_MD * php_openssl_get_evp_md_from_algo(zend_long algo) {
 		case OPENSSL_ALGO_MD2:
 			mdtype = (EVP_MD *) EVP_md2();
 			break;
-#endif
-#if PHP_OPENSSL_API_VERSION < 0x10100
-		case OPENSSL_ALGO_DSS1:
-			mdtype = (EVP_MD *) EVP_dss1();
-			break;
 #endif
 		case OPENSSL_ALGO_SHA224:
 			mdtype = (EVP_MD *) EVP_sha224();
@@ -1510,7 +1504,6 @@ EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req)
 	int egdsocket, seeded;
 	char *randfile = php_openssl_conf_get_string(req->req_config, req->section_name, "RANDFILE");
 	php_openssl_load_rand_file(randfile, &egdsocket, &seeded);
-	PHP_OPENSSL_RAND_ADD_TIME();
 
 	EVP_PKEY *key = NULL;
 	EVP_PKEY *params = NULL;
@@ -1700,48 +1693,25 @@ void php_openssl_load_cipher_mode(struct php_openssl_cipher_mode *mode, const EV
 	int cipher_mode = EVP_CIPHER_mode(cipher_type);
 	memset(mode, 0, sizeof(struct php_openssl_cipher_mode));
 	switch (cipher_mode) {
-#if PHP_OPENSSL_API_VERSION >= 0x10100
-		/* Since OpenSSL 1.1, all AEAD ciphers use a common framework. We check for
-		 * EVP_CIPH_OCB_MODE, because LibreSSL does not support it. */
 		case EVP_CIPH_GCM_MODE:
 		case EVP_CIPH_CCM_MODE:
-# ifdef EVP_CIPH_OCB_MODE
+		/* We check for EVP_CIPH_OCB_MODE, because LibreSSL does not support it. */
+#ifdef EVP_CIPH_OCB_MODE
 		case EVP_CIPH_OCB_MODE:
 			/* For OCB mode, explicitly set the tag length even when decrypting,
 			 * see https://github.com/openssl/openssl/issues/8331. */
 			mode->set_tag_length_always = cipher_mode == EVP_CIPH_OCB_MODE;
-# endif
+#endif
 			php_openssl_set_aead_flags(mode);
 			mode->set_tag_length_when_encrypting = cipher_mode == EVP_CIPH_CCM_MODE;
 			mode->is_single_run_aead = cipher_mode == EVP_CIPH_CCM_MODE;
 			break;
-# ifdef NID_chacha20_poly1305
+#ifdef NID_chacha20_poly1305
 		default:
 			if (EVP_CIPHER_nid(cipher_type) == NID_chacha20_poly1305) {
 				php_openssl_set_aead_flags(mode);
 			}
 			break;
-
-# endif
-#else
-# ifdef EVP_CIPH_GCM_MODE
-		case EVP_CIPH_GCM_MODE:
-			mode->is_aead = 1;
-			mode->aead_get_tag_flag = EVP_CTRL_GCM_GET_TAG;
-			mode->aead_set_tag_flag = EVP_CTRL_GCM_SET_TAG;
-			mode->aead_ivlen_flag = EVP_CTRL_GCM_SET_IVLEN;
-			break;
-# endif
-# ifdef EVP_CIPH_CCM_MODE
-		case EVP_CIPH_CCM_MODE:
-			mode->is_aead = 1;
-			mode->is_single_run_aead = 1;
-			mode->set_tag_length_when_encrypting = 1;
-			mode->aead_get_tag_flag = EVP_CTRL_CCM_GET_TAG;
-			mode->aead_set_tag_flag = EVP_CTRL_CCM_SET_TAG;
-			mode->aead_ivlen_flag = EVP_CTRL_CCM_SET_IVLEN;
-			break;
-# endif
 #endif
 	}
 }
@@ -2121,7 +2091,6 @@ PHP_OPENSSL_API zend_string* php_openssl_random_pseudo_bytes(zend_long buffer_le
 	buffer = zend_string_alloc(buffer_length, 0);
 
 	PHP_OPENSSL_CHECK_LONG_TO_INT_NULL_RETURN(buffer_length, length);
-	PHP_OPENSSL_RAND_ADD_TIME();
 	if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), (int)buffer_length) <= 0) {
 		php_openssl_store_errors();
 		zend_string_release_ex(buffer, 0);

ext/openssl/openssl_backend_v1.c

@@ -116,7 +116,6 @@ static bool php_openssl_pkey_init_dsa_data(DSA *dsa, zval *data, bool *is_privat
 	}
 
 	/* generate key */
-	PHP_OPENSSL_RAND_ADD_TIME();
 	if (!DSA_generate_key(dsa)) {
 		php_openssl_store_errors();
 		return 0;
@@ -185,7 +184,6 @@ static bool php_openssl_pkey_init_dh_data(DH *dh, zval *data, bool *is_private)
 	}
 
 	/* generate key */
-	PHP_OPENSSL_RAND_ADD_TIME();
 	if (!DH_generate_key(dh)) {
 		php_openssl_store_errors();
 		return 0;
@@ -341,7 +339,6 @@ static bool php_openssl_pkey_init_ec_data(EC_KEY *eckey, zval *data, bool *is_pr
 
 	if (!EC_KEY_check_key(eckey)) {
 		*is_private = true;
-		PHP_OPENSSL_RAND_ADD_TIME();
 		EC_KEY_generate_key(eckey);
 	}
 

ext/openssl/openssl_backend_v3.c

@@ -143,7 +143,6 @@ EVP_PKEY *php_openssl_pkey_init_dsa(zval *data, bool *is_private)
 		pkey = param_key;
 	} else {
 		*is_private = true;
-		PHP_OPENSSL_RAND_ADD_TIME();
 		EVP_PKEY_CTX_free(ctx);
 		ctx = EVP_PKEY_CTX_new(param_key, NULL);
 		if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) {
@@ -219,7 +218,6 @@ EVP_PKEY *php_openssl_pkey_init_dh(zval *data, bool *is_private)
 		pkey = param_key;
 	} else {
 		*is_private = true;
-		PHP_OPENSSL_RAND_ADD_TIME();
 		EVP_PKEY_CTX_free(ctx);
 		ctx = EVP_PKEY_CTX_new(param_key, NULL);
 		if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) {
@@ -407,7 +405,6 @@ EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) {
 		pkey = param_key;
 	} else {
 		*is_private = true;
-		PHP_OPENSSL_RAND_ADD_TIME();
 		if (EVP_PKEY_keygen_init(ctx) != 1 ||
 				EVP_PKEY_CTX_set_params(ctx, params) != 1 ||
 				EVP_PKEY_generate(ctx, &pkey) != 1) {
@@ -482,7 +479,6 @@ void php_openssl_pkey_object_curve_25519_448(zval *return_value, int key_type, z
 		is_private = priv_key != NULL;
 	} else {
 		is_private = true;
-		PHP_OPENSSL_RAND_ADD_TIME();
 		if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) {
 			goto cleanup;
 		}

ext/openssl/php_openssl_backend.h

@@ -118,9 +118,7 @@ enum php_openssl_encoding {
 #ifndef OPENSSL_NO_MD2
 #define OPENSSL_ALGO_MD2	4
 #endif
-#if PHP_OPENSSL_API_VERSION < 0x10100
-#define OPENSSL_ALGO_DSS1	5
-#endif
+/* Number 5 was used for OPENSSL_ALGO_DSS1 which is no longer available */
 #define OPENSSL_ALGO_SHA224 6
 #define OPENSSL_ALGO_SHA256 7
 #define OPENSSL_ALGO_SHA384 8
@@ -220,23 +218,6 @@ const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(zend_long algo);
 int php_openssl_parse_config(struct php_x509_request * req, zval * optional_args);
 void php_openssl_dispose_config(struct php_x509_request * req);
 
-
-#if defined(PHP_WIN32) || PHP_OPENSSL_API_VERSION >= 0x10100
-#define PHP_OPENSSL_RAND_ADD_TIME() ((void) 0)
-#else
-#define PHP_OPENSSL_RAND_ADD_TIME() php_openssl_rand_add_timeval()
-
-static inline void php_openssl_rand_add_timeval(void)  /* {{{ */
-{
-	struct timeval tv;
-
-	gettimeofday(&tv, NULL);
-	RAND_add(&tv, sizeof(tv), 0.0);
-}
-/* }}} */
-
-#endif
-
 zend_result php_openssl_load_rand_file(const char * file, int *egdsocket, int *seeded);
 zend_result php_openssl_write_rand_file(const char * file, int egdsocket, int seeded);
 
@@ -279,7 +260,7 @@ X509_REQ *php_openssl_csr_from_str(zend_string *csr_str, uint32_t arg_num);
 X509_REQ *php_openssl_csr_from_param(
 		zend_object *csr_obj, zend_string *csr_str, uint32_t arg_num);
 
-#if PHP_OPENSSL_API_VERSION >= 0x10100 && !defined (LIBRESSL_VERSION_NUMBER)
+#if !defined (LIBRESSL_VERSION_NUMBER)
 #define PHP_OPENSSL_ASN1_INTEGER_set ASN1_INTEGER_set_int64
 #else
 #define PHP_OPENSSL_ASN1_INTEGER_set ASN1_INTEGER_set
@@ -349,14 +330,12 @@ struct php_openssl_cipher_mode {
 	int aead_ivlen_flag;
 };
 
-#if PHP_OPENSSL_API_VERSION >= 0x10100
 static inline void php_openssl_set_aead_flags(struct php_openssl_cipher_mode *mode) {
 	mode->is_aead = true;
 	mode->aead_get_tag_flag = EVP_CTRL_AEAD_GET_TAG;
 	mode->aead_set_tag_flag = EVP_CTRL_AEAD_SET_TAG;
 	mode->aead_ivlen_flag = EVP_CTRL_AEAD_SET_IVLEN;
 }
-#endif
 
 void php_openssl_load_cipher_mode(struct php_openssl_cipher_mode *mode, const EVP_CIPHER *cipher_type);
 zend_result php_openssl_validate_iv(const char **piv, size_t *piv_len, size_t iv_required_len,
@@ -375,6 +354,4 @@ zend_result php_openssl_cipher_update(const EVP_CIPHER *cipher_type,
 
 const EVP_CIPHER *php_openssl_get_evp_cipher_by_name(const char *method);
 
-
 #endif
-

ext/openssl/xp_ssl.c

@@ -148,10 +148,6 @@
 #define HAVE_IPV6_SAN 1
 #endif
 
-#if PHP_OPENSSL_API_VERSION < 0x10100
-static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength);
-#endif
-
 extern php_stream* php_openssl_get_stream_from_ssl_handle(const SSL *ssl);
 extern zend_string* php_openssl_x509_fingerprint(X509 *peer, const char *method, bool raw);
 extern int php_openssl_get_ssl_stream_data_index(void);
@@ -987,45 +983,6 @@ static zend_result php_openssl_set_local_cert(SSL_CTX *ctx, php_stream *stream)
 }
 /* }}} */
 
-#if PHP_OPENSSL_API_VERSION < 0x10100
-static int php_openssl_get_crypto_method_ctx_flags(int method_flags) /* {{{ */
-{
-	int ssl_ctx_options = SSL_OP_ALL;
-
-#ifdef SSL_OP_NO_SSLv2
-	ssl_ctx_options |= SSL_OP_NO_SSLv2;
-#endif
-#ifdef HAVE_SSL3
-	if (!(method_flags & STREAM_CRYPTO_METHOD_SSLv3)) {
-		ssl_ctx_options |= SSL_OP_NO_SSLv3;
-	}
-#endif
-#ifdef HAVE_TLS1
-	if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_0)) {
-		ssl_ctx_options |= SSL_OP_NO_TLSv1;
-	}
-#endif
-#ifdef HAVE_TLS11
-	if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_1)) {
-		ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
-	}
-#endif
-#ifdef HAVE_TLS12
-	if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_2)) {
-		ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
-	}
-#endif
-#ifdef HAVE_TLS13
-	if (!(method_flags & STREAM_CRYPTO_METHOD_TLSv1_3)) {
-		ssl_ctx_options |= SSL_OP_NO_TLSv1_3;
-	}
-#endif
-
-	return ssl_ctx_options;
-}
-/* }}} */
-#endif
-
 static inline int php_openssl_get_min_proto_version_flag(int flags) /* {{{ */
 {
 	int ver;
@@ -1050,7 +1007,6 @@ static inline int php_openssl_get_max_proto_version_flag(int flags) /* {{{ */
 }
 /* }}} */
 
-#if PHP_OPENSSL_API_VERSION >= 0x10100
 static inline int php_openssl_map_proto_version(int flag) /* {{{ */
 {
 	switch (flag) {
@@ -1085,7 +1041,6 @@ static int php_openssl_get_max_proto_version(int flags) /* {{{ */
 	return php_openssl_map_proto_version(php_openssl_get_max_proto_version_flag(flags));
 }
 /* }}} */
-#endif
 
 static int php_openssl_get_proto_version_flags(int flags, int min, int max) /* {{{ */
 {
@@ -1219,30 +1174,6 @@ static void php_openssl_init_server_reneg_limit(php_stream *stream, php_openssl_
 }
 /* }}} */
 
-#if PHP_OPENSSL_API_VERSION < 0x10100
-static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength)
-{
-	BIGNUM *bn = NULL;
-	static RSA *rsa_tmp = NULL;
-
-	if (!rsa_tmp && ((bn = BN_new()) == NULL)) {
-		php_error_docref(NULL, E_WARNING, "allocation error generating RSA key");
-	}
-	if (!rsa_tmp && bn) {
-		if (!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
-			!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) {
-			if (rsa_tmp) {
-				RSA_free(rsa_tmp);
-			}
-			rsa_tmp = NULL;
-		}
-		BN_free(bn);
-	}
-
-	return (rsa_tmp);
-}
-#endif
-
 static zend_result php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* {{{ */
 {
 	zval *zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param");
@@ -1303,57 +1234,11 @@ static zend_result php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX
 }
 /* }}} */
 
-#if defined(HAVE_ECDH) && PHP_OPENSSL_API_VERSION < 0x10100
-static zend_result php_openssl_set_server_ecdh_curve(php_stream *stream, SSL_CTX *ctx) /* {{{ */
-{
-	zval *zvcurve;
-	int curve_nid;
-	EC_KEY *ecdh;
-
-	zvcurve = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "ecdh_curve");
-	if (zvcurve == NULL) {
-		SSL_CTX_set_ecdh_auto(ctx, 1);
-		return SUCCESS;
-	} else {
-		if (!try_convert_to_string(zvcurve)) {
-			return FAILURE;
-		}
-
-		curve_nid = OBJ_sn2nid(Z_STRVAL_P(zvcurve));
-		if (curve_nid == NID_undef) {
-			php_error_docref(NULL, E_WARNING, "Invalid ecdh_curve specified");
-			return FAILURE;
-		}
-	}
-
-	ecdh = EC_KEY_new_by_curve_name(curve_nid);
-	if (ecdh == NULL) {
-		php_error_docref(NULL, E_WARNING, "Failed generating ECDH curve");
-		return FAILURE;
-	}
-
-	SSL_CTX_set_tmp_ecdh(ctx, ecdh);
-	EC_KEY_free(ecdh);
-
-	return SUCCESS;
-}
-/* }}} */
-#endif
-
 static zend_result php_openssl_set_server_specific_opts(php_stream *stream, SSL_CTX *ctx) /* {{{ */
 {
 	zval *zv;
 	long ssl_ctx_options = SSL_CTX_get_options(ctx);
 
-#if defined(HAVE_ECDH) && PHP_OPENSSL_API_VERSION < 0x10100
-	if (php_openssl_set_server_ecdh_curve(stream, ctx) == FAILURE) {
-		return FAILURE;
-	}
-#endif
-
-#if PHP_OPENSSL_API_VERSION < 0x10100
-	SSL_CTX_set_tmp_rsa_callback(ctx, php_openssl_tmp_rsa_cb);
-#endif
 	/* We now use php_openssl_tmp_rsa_cb to generate a key of appropriate size whenever necessary */
 	if (php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "rsa_key_size") != NULL) {
 		php_error_docref(NULL, E_WARNING, "rsa_key_size context option has been removed");
@@ -1690,11 +1575,7 @@ static zend_result php_openssl_setup_crypto(php_stream *stream,
 	GET_VER_OPT_LONG("min_proto_version", min_version);
 	GET_VER_OPT_LONG("max_proto_version", max_version);
 	method_flags = php_openssl_get_proto_version_flags(method_flags, min_version, max_version);
-#if PHP_OPENSSL_API_VERSION < 0x10100
-	ssl_ctx_options = php_openssl_get_crypto_method_ctx_flags(method_flags);
-#else
 	ssl_ctx_options = SSL_OP_ALL;
-#endif
 
 	if (GET_VER_OPT("no_ticket") && zend_is_true(val)) {
 		ssl_ctx_options |= SSL_OP_NO_TICKET;
@@ -1780,10 +1661,8 @@ static zend_result php_openssl_setup_crypto(php_stream *stream,
 
 	SSL_CTX_set_options(sslsock->ctx, ssl_ctx_options);
 
-#if PHP_OPENSSL_API_VERSION >= 0x10100
 	SSL_CTX_set_min_proto_version(sslsock->ctx, php_openssl_get_min_proto_version(method_flags));
 	SSL_CTX_set_max_proto_version(sslsock->ctx, php_openssl_get_max_proto_version(method_flags));
-#endif
 
 	if (sslsock->is_client == 0 &&
 		PHP_STREAM_CONTEXT(stream) &&