[PR PATCH] php8.0: patch for openssl3

[PR PATCH] php8.0: patch for openssl3

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 440 bytes --]

There is a new pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages O3php80
https://github.com/void-linux/void-packages/pull/42231

php8.0: patch for openssl3
- I tested the changes in this PR: no
- I built this PR locally for my native architecture, (x86_64-musl)

#37681 @TinfoilSubmarine 

A patch file from https://github.com/void-linux/void-packages/pull/42231.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-O3php80-42231.patch --]
[-- Type: text/x-diff, Size: 9425 bytes --]

From 9830081483cde80b718c56b52b15cb96c84748cb Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 12 Feb 2023 21:19:34 -0500
Subject: [PATCH] php8.0: patch for openssl3

---
 srcpkgs/php8.0/patches/openssl3.patch | 197 ++++++++++++++++++++++++++
 srcpkgs/php8.0/template               |   2 +-
 2 files changed, 198 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/php8.0/patches/openssl3.patch

diff --git a/srcpkgs/php8.0/patches/openssl3.patch b/srcpkgs/php8.0/patches/openssl3.patch
new file mode 100644
index 000000000000..6400e37ff6c7
--- /dev/null
+++ b/srcpkgs/php8.0/patches/openssl3.patch
@@ -0,0 +1,197 @@
+From a7df3564004807b812f189048463d8ad89fb0f21 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 18 May 2021 07:58:49 +0200
+Subject: [PATCH] minimal fix for openssl 3.0
+
+---
+ ext/openssl/openssl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 340e40a001bb..0ed4233b2125 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -1221,7 +1221,9 @@ PHP_MINIT_FUNCTION(openssl)
+ 	REGISTER_LONG_CONSTANT("OPENSSL_CMS_NOSIGS", CMS_NOSIGS, CONST_CS|CONST_PERSISTENT);
+ 
+ 	REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_PADDING", RSA_PKCS1_PADDING, CONST_CS|CONST_PERSISTENT);
++#ifdef RSA_SSLV23_PADDING
+ 	REGISTER_LONG_CONSTANT("OPENSSL_SSLV23_PADDING", RSA_SSLV23_PADDING, CONST_CS|CONST_PERSISTENT);
++#endif
+ 	REGISTER_LONG_CONSTANT("OPENSSL_NO_PADDING", RSA_NO_PADDING, CONST_CS|CONST_PERSISTENT);
+ 	REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING, CONST_CS|CONST_PERSISTENT);
+ 
+From 1887f2274cf7b2e19daf911df76313286ded6381 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Tue, 3 Aug 2021 17:19:24 +0200
+Subject: [PATCH] Use OpenSSL NCONF APIs
+
+---
+ ext/openssl/openssl.c | 66 +++++++++++++++++++++++--------------------
+ 1 file changed, 36 insertions(+), 30 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 9f5018d2fd75..8589fbaac164 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -487,8 +487,8 @@ int php_openssl_get_ssl_stream_data_index(void)
+ static char default_ssl_conf_filename[MAXPATHLEN];
+ 
+ struct php_x509_request { /* {{{ */
+-	LHASH_OF(CONF_VALUE) * global_config;	/* Global SSL config */
+-	LHASH_OF(CONF_VALUE) * req_config;		/* SSL config for this request */
++	CONF *global_config;	/* Global SSL config */
++	CONF *req_config;		/* SSL config for this request */
+ 	const EVP_MD * md_alg;
+ 	const EVP_MD * digest;
+ 	char	* section_name,
+@@ -700,13 +700,13 @@ static time_t php_openssl_asn1_time_to_time_t(ASN1_UTCTIME * timestr) /* {{{ */
+ }
+ /* }}} */
+ 
+-static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, LHASH_OF(CONF_VALUE) * config) /* {{{ */
++static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, CONF *config) /* {{{ */
+ {
+ 	X509V3_CTX ctx;
+ 
+ 	X509V3_set_ctx_test(&ctx);
+-	X509V3_set_conf_lhash(&ctx, config);
+-	if (!X509V3_EXT_add_conf(config, &ctx, (char *)section, NULL)) {
++	X509V3_set_nconf(&ctx, config);
++	if (!X509V3_EXT_add_nconf(config, &ctx, (char *)section, NULL)) {
+ 		php_openssl_store_errors();
+ 		php_error_docref(NULL, E_WARNING, "Error loading %s section %s of %s",
+ 				section_label,
+@@ -718,17 +718,24 @@ static inline int php_openssl_config_check_syntax(const char * section_label, co
+ }
+ /* }}} */
+ 
+-static char *php_openssl_conf_get_string(
+-		LHASH_OF(CONF_VALUE) *conf, const char *group, const char *name) {
+-	char *str = CONF_get_string(conf, group, name);
+-	if (str == NULL) {
+-		/* OpenSSL reports an error if a configuration value is not found.
+-		 * However, we don't want to generate errors for optional configuration. */
+-		ERR_clear_error();
+-	}
++static char *php_openssl_conf_get_string(CONF *conf, const char *group, const char *name) {
++	/* OpenSSL reports an error if a configuration value is not found.
++	 * However, we don't want to generate errors for optional configuration. */
++	ERR_set_mark();
++	char *str = NCONF_get_string(conf, group, name);
++	ERR_pop_to_mark();
+ 	return str;
+ }
+ 
++static long php_openssl_conf_get_number(CONF *conf, const char *group, const char *name) {
++	/* Same here, ignore errors. */
++	long res = 0;
++	ERR_set_mark();
++	NCONF_get_number(conf, group, name, &res);
++	ERR_pop_to_mark();
++	return res;
++}
++
+ static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */
+ {
+ 	char * str;
+@@ -740,7 +747,7 @@ static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */
+ 	if (str == NULL) {
+ 		return SUCCESS;
+ 	}
+-	sktmp = CONF_get_section(req->req_config, str);
++	sktmp = NCONF_get_section(req->req_config, str);
+ 	if (sktmp == NULL) {
+ 		php_openssl_store_errors();
+ 		php_error_docref(NULL, E_WARNING, "Problem loading oid section %s", str);
+@@ -811,13 +818,13 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option
+ 
+ 	SET_OPTIONAL_STRING_ARG("config", req->config_filename, default_ssl_conf_filename);
+ 	SET_OPTIONAL_STRING_ARG("config_section_name", req->section_name, "req");
+-	req->global_config = CONF_load(NULL, default_ssl_conf_filename, NULL);
+-	if (req->global_config == NULL) {
++	req->global_config = NCONF_new(NULL);
++	if (!NCONF_load(req->global_config, default_ssl_conf_filename, NULL)) {
+ 		php_openssl_store_errors();
+ 	}
+-	req->req_config = CONF_load(NULL, req->config_filename, NULL);
+-	if (req->req_config == NULL) {
+-		php_openssl_store_errors();
++
++	req->req_config = NCONF_new(NULL);
++	if (!NCONF_load(req->req_config, req->config_filename, NULL)) {
+ 		return FAILURE;
+ 	}
+ 
+@@ -841,8 +848,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option
+ 	SET_OPTIONAL_STRING_ARG("req_extensions", req->request_extensions_section,
+ 		php_openssl_conf_get_string(req->req_config, req->section_name, "req_extensions"));
+ 	SET_OPTIONAL_LONG_ARG("private_key_bits", req->priv_key_bits,
+-		CONF_get_number(req->req_config, req->section_name, "default_bits"));
+-
++		php_openssl_conf_get_number(req->req_config, req->section_name, "default_bits"));
+ 	SET_OPTIONAL_LONG_ARG("private_key_type", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT);
+ 
+ 	if (optional_args && (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key")-1)) != NULL) {
+@@ -922,11 +928,11 @@ static void php_openssl_dispose_config(struct php_x509_request * req) /* {{{ */
+ 		req->priv_key = NULL;
+ 	}
+ 	if (req->global_config) {
+-		CONF_free(req->global_config);
++		NCONF_free(req->global_config);
+ 		req->global_config = NULL;
+ 	}
+ 	if (req->req_config) {
+-		CONF_free(req->req_config);
++		NCONF_free(req->req_config);
+ 		req->req_config = NULL;
+ 	}
+ }
+@@ -2808,12 +2814,12 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z
+ 	STACK_OF(CONF_VALUE) * dn_sk, *attr_sk = NULL;
+ 	char * str, *dn_sect, *attr_sect;
+ 
+-	dn_sect = CONF_get_string(req->req_config, req->section_name, "distinguished_name");
++	dn_sect = NCONF_get_string(req->req_config, req->section_name, "distinguished_name");
+ 	if (dn_sect == NULL) {
+ 		php_openssl_store_errors();
+ 		return FAILURE;
+ 	}
+-	dn_sk = CONF_get_section(req->req_config, dn_sect);
++	dn_sk = NCONF_get_section(req->req_config, dn_sect);
+ 	if (dn_sk == NULL) {
+ 		php_openssl_store_errors();
+ 		return FAILURE;
+@@ -2822,7 +2828,7 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z
+ 	if (attr_sect == NULL) {
+ 		attr_sk = NULL;
+ 	} else {
+-		attr_sk = CONF_get_section(req->req_config, attr_sect);
++		attr_sk = NCONF_get_section(req->req_config, attr_sect);
+ 		if (attr_sk == NULL) {
+ 			php_openssl_store_errors();
+ 			return FAILURE;
+@@ -3239,8 +3245,8 @@ PHP_FUNCTION(openssl_csr_sign)
+ 		X509V3_CTX ctx;
+ 
+ 		X509V3_set_ctx(&ctx, cert, new_cert, csr, NULL, 0);
+-		X509V3_set_conf_lhash(&ctx, req.req_config);
+-		if (!X509V3_EXT_add_conf(req.req_config, &ctx, req.extensions_section, new_cert)) {
++		X509V3_set_nconf(&ctx, req.req_config);
++		if (!X509V3_EXT_add_nconf(req.req_config, &ctx, req.extensions_section, new_cert)) {
+ 			php_openssl_store_errors();
+ 			goto cleanup;
+ 		}
+@@ -3313,10 +3319,10 @@ PHP_FUNCTION(openssl_csr_new)
+ 					X509V3_CTX ext_ctx;
+ 
+ 					X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, 0);
+-					X509V3_set_conf_lhash(&ext_ctx, req.req_config);
++					X509V3_set_nconf(&ext_ctx, req.req_config);
+ 
+ 					/* Add extensions */
+-					if (req.request_extensions_section && !X509V3_EXT_REQ_add_conf(req.req_config,
++					if (req.request_extensions_section && !X509V3_EXT_REQ_add_nconf(req.req_config,
+ 								&ext_ctx, req.request_extensions_section, csr))
+ 					{
+ 						php_openssl_store_errors();
diff --git a/srcpkgs/php8.0/template b/srcpkgs/php8.0/template
index 74c50da0e46f..1c215d1f841a 100644
--- a/srcpkgs/php8.0/template
+++ b/srcpkgs/php8.0/template
@@ -1,7 +1,7 @@
 # Template file for 'php8.0'
 pkgname=php8.0
 version=8.0.25
-revision=1
+revision=2
 _php_version=8.0
 hostmakedepends="bison pkg-config apache-devel"
 makedepends="apache-devel enchant2-devel freetds-devel freetype-devel gdbm-devel

Re: php8.0: patch for openssl3

[TinfoilSubmarine]

[-- Attachment #1: Type: text/plain, Size: 316 bytes --]

New comment by TinfoilSubmarine on void-packages repository

https://github.com/void-linux/void-packages/pull/42231#issuecomment-1431892399

Comment:
My preference is that we get https://github.com/void-linux/void-packages/pull/38536 merged. Then we can get php8.2 in repo and drop 8.0 (since 8.1+ support openssl3)

Re: php8.0: patch for openssl3

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 302 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/42231#issuecomment-1431935433

Comment:
That PR is dropping 7.*, right? Assuming it gets merged soon, would you mind adding this patch for 8.0 there temporarily, before that gets dropped sometimes later?

Re: php8.0: patch for openssl3

[paper42]

[-- Attachment #1: Type: text/plain, Size: 347 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/42231#issuecomment-1454903185

Comment:
@TinfoilSubmarine I don't think we should drop php 8.0, it is still getting security fixes until the end of the year and some projects still prefer it. Are there some big issues with php 8.0 and openssl 3?

Re: php8.0: patch for openssl3

[TinfoilSubmarine]

[-- Attachment #1: Type: text/plain, Size: 344 bytes --]

New comment by TinfoilSubmarine on void-packages repository

https://github.com/void-linux/void-packages/pull/42231#issuecomment-1458283188

Comment:
It is not supported, see https://www.php.net/manual/en/openssl.requirements.php and https://bugs.php.net/bug.php?id=81540&edit=1. I don't know where this patch came from, but it's not official.

Re: php8.0: patch for openssl3

[paper42]

[-- Attachment #1: Type: text/plain, Size: 204 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/42231#issuecomment-1458457907

Comment:
I would be in favor of building it with openssl1.1-compat then

Re: php8.0: patch for openssl3

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 343 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/42231#issuecomment-1458474600

Comment:
@paper42 Ok, but last time I tried it conflicts with openssl, which seems to be pulled in by default in the chroot. What is the right way to do it? I can then apply that also to the other removed package.

Re: php8.0: patch for openssl3

[paper42]

[-- Attachment #1: Type: text/plain, Size: 679 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/42231#issuecomment-1458486887

Comment:
> @paper42 Ok, but last time I tried it conflicts with openssl, which seems to be pulled in by default in the chroot. What is the right way to do it? I can then apply that also to the other removed package.

openssl1.1-devel conflicting with openssl-devel doesn't matter because only one will be installed at one time, openssl1.1-compat can probably be an empty meta-package because I think we don't need anything it provides. Also, openssl1.1-devel probably doesn't have to depend on openssl1.1-compat, but you would have to try that.

Re: php8.0: patch for openssl3

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 284 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/42231#issuecomment-1458666222

Comment:
Hmm that worked for `gcsf`, but it seems something (for sure `apache-devel`, maybe others) in `php8.0` brings in `openssl-devel` independently ??

Re: php8.0: patch for openssl3

[paper42]

[-- Attachment #1: Type: text/plain, Size: 207 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/42231#issuecomment-1462617984

Comment:
I guess we will have to remove this package with openssl 3.0 then

Re: [PR PATCH] [Closed]: php8.0: patch for openssl3

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 295 bytes --]

There's a closed pull request on the void-packages repository

php8.0: patch for openssl3
https://github.com/void-linux/void-packages/pull/42231

Description:
- I tested the changes in this PR: no
- I built this PR locally for my native architecture, (x86_64-musl)

#37681 @TinfoilSubmarine