diff --git a/10-opcache.ini b/10-opcache.ini index b3d4e6e6ee5cf9c6e96cbf8bb499636a7122d72a..a5be17292bdebb08a355fed5f3d661613291f9d2 100644 --- a/10-opcache.ini +++ b/10-opcache.ini @@ -67,6 +67,10 @@ opcache.blacklist_filename=/etc/php.d/opcache*.blacklist ; are cached. ;opcache.max_file_size=0 +; Check the cache checksum each N requests. +; The default value of "0" means that the checks are disabled. +;opcache.consistency_checks=0 + ; How long to wait (in seconds) for a scheduled restart to begin if the cache ; is not being accessed. ;opcache.force_restart_timeout=180 @@ -111,12 +115,7 @@ opcache.blacklist_filename=/etc/php.d/opcache*.blacklist ;opcache.file_cache_fallback=1 ; Enables or disables copying of PHP code (text segment) into HUGE PAGES. -; Under certain circumstances (if only a single global PHP process is -; started from which all others fork), this can increase performance -; by a tiny amount because TLB misses are reduced. On the other hand, this -; delays PHP startup, increases memory usage and degrades performance -; under memory pressure - use with care. -; Requires appropriate OS configuration. +; This should improve performance, but requires appropriate OS configuration. opcache.huge_code_pages=0 ; Validate cached file permissions. @@ -137,12 +136,12 @@ opcache.huge_code_pages=0 ; Specifies a PHP script that is going to be compiled and executed at server ; start-up. -; https://php.net/opcache.preload +; http://php.net/opcache.preload ;opcache.preload= ; Preloading code as root is not allowed for security reasons. This directive ; facilitates to let the preloading to be run as another user. -; https://php.net/opcache.preload_user +; http://php.net/opcache.preload_user ;opcache.preload_user= ; Prevents caching files that are less than this number of seconds old. It diff --git a/macros.php b/macros.php index 13a84f12118e97bdb3b7e7504d299b337dd6fe5a..4a039aac1ada864a27d81607a825e7100d4247e1 100644 --- a/macros.php +++ b/macros.php @@ -18,10 +18,4 @@ %__php %{_bindir}/php %__ztsphp %{_bindir}/zts-php -%__phpize %{_bindir}/phpize -%__ztsphpize %{_bindir}/zts-phpize - -%__phpconfig %{_bindir}/php-config -%__ztsphpconfig %{_bindir}/zts-php-config - %pecl_xmldir %{_sharedstatedir}/php/peclxml diff --git a/php-7.4.0-libdb.patch b/php-7.4.0-libdb.patch new file mode 100644 index 0000000000000000000000000000000000000000..d7c6289f5281e3786373d4f7cf20319cba0cac15 --- /dev/null +++ b/php-7.4.0-libdb.patch @@ -0,0 +1,92 @@ +diff -up ./ext/dba/config.m4.libdb ./ext/dba/config.m4 +--- ./ext/dba/config.m4.libdb 2020-04-09 14:06:11.000000000 +0200 ++++ ./ext/dba/config.m4 2020-04-09 14:35:08.208605065 +0200 +@@ -375,61 +375,13 @@ if test "$PHP_DB4" != "no"; then + dbdp4="/usr/local/BerkeleyDB.4." + dbdp5="/usr/local/BerkeleyDB.5." + for i in $PHP_DB4 ${dbdp5}1 ${dbdp5}0 ${dbdp4}8 ${dbdp4}7 ${dbdp4}6 ${dbdp4}5 ${dbdp4}4 ${dbdp4}3 ${dbdp4}2 ${dbdp4}1 ${dbdp}0 /usr/local /usr; do +- if test -f "$i/db5/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/db5/db.h +- break +- elif test -f "$i/db4/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/db4/db.h +- break +- elif test -f "$i/include/db5.3/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db5.3/db.h +- break +- elif test -f "$i/include/db5.1/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db5.1/db.h +- break +- elif test -f "$i/include/db5.0/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db5.0/db.h +- break +- elif test -f "$i/include/db4.8/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.8/db.h +- break +- elif test -f "$i/include/db4.7/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.7/db.h +- break +- elif test -f "$i/include/db4.6/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.6/db.h +- break +- elif test -f "$i/include/db4.5/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.5/db.h +- break +- elif test -f "$i/include/db4/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4/db.h +- break +- elif test -f "$i/include/db/db4.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db/db4.h +- break +- elif test -f "$i/include/db4.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.h +- break +- elif test -f "$i/include/db.h"; then ++ if test -f "$i/include/db.h"; then + THIS_PREFIX=$i + THIS_INCLUDE=$i/include/db.h + break + fi + done +- PHP_DBA_DB_CHECK(4, db-5.3 db-5.1 db-5.0 db-4.8 db-4.7 db-4.6 db-4.5 db-4.4 db-4.3 db-4.2 db-4.1 db-4.0 db-4 db4 db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)]) ++ PHP_DBA_DB_CHECK(4, db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)]) + fi + PHP_DBA_STD_RESULT(db4,Berkeley DB4) + +diff -up ./ext/dba/dba.c.libdb ./ext/dba/dba.c +--- ./ext/dba/dba.c.libdb 2020-04-09 14:06:11.000000000 +0200 ++++ ./ext/dba/dba.c 2020-04-09 14:36:30.593275190 +0200 +@@ -50,6 +50,10 @@ + #include "php_lmdb.h" + #include "dba_arginfo.h" + ++#ifdef DB4_INCLUDE_FILE ++#include DB4_INCLUDE_FILE ++#endif ++ + PHP_MINIT_FUNCTION(dba); + PHP_MSHUTDOWN_FUNCTION(dba); + PHP_MINFO_FUNCTION(dba); +@@ -459,6 +463,10 @@ PHP_MINFO_FUNCTION(dba) + + php_info_print_table_start(); + php_info_print_table_row(2, "DBA support", "enabled"); ++#ifdef DB_VERSION_STRING ++ php_info_print_table_row(2, "libdb header version", DB_VERSION_STRING); ++ php_info_print_table_row(2, "libdb library version", db_version(NULL, NULL, NULL)); ++#endif + if (handlers.s) { + smart_str_0(&handlers); + php_info_print_table_row(2, "Supported handlers", ZSTR_VAL(handlers.s)); diff --git a/php-8.0.0-phpinfo.patch b/php-8.0.0-phpinfo.patch new file mode 100644 index 0000000000000000000000000000000000000000..391d9969e12b0aa2a5a09ca673808f571c94c23d --- /dev/null +++ b/php-8.0.0-phpinfo.patch @@ -0,0 +1,118 @@ + +Drop "Configure Command" from phpinfo as it doesn't +provide any useful information. +The available extensions are not related to this command. + +Replace full GCC name by gcc in php -v output + + +Also apply + +From 9bf43c45908433d382f0499d529849172d0d8206 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Mon, 28 Dec 2020 08:33:09 +0100 +Subject: [PATCH] rename COMPILER and ARCHITECTURE macro (too generic) + +--- + configure.ac | 4 ++-- + ext/standard/info.c | 8 ++++---- + sapi/cli/php_cli.c | 8 ++++---- + win32/build/confutils.js | 10 +++++----- + 4 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 9d9c8b155b07..143dc061346b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1289,10 +1289,10 @@ if test -n "${PHP_BUILD_PROVIDER}"; then + AC_DEFINE_UNQUOTED(PHP_BUILD_PROVIDER,"$PHP_BUILD_PROVIDER",[build provider]) + fi + if test -n "${PHP_BUILD_COMPILER}"; then +- AC_DEFINE_UNQUOTED(COMPILER,"$PHP_BUILD_COMPILER",[used compiler for build]) ++ AC_DEFINE_UNQUOTED(PHP_BUILD_COMPILER,"$PHP_BUILD_COMPILER",[used compiler for build]) + fi + if test -n "${PHP_BUILD_ARCH}"; then +- AC_DEFINE_UNQUOTED(ARCHITECTURE,"$PHP_BUILD_ARCH",[build architecture]) ++ AC_DEFINE_UNQUOTED(PHP_BUILD_ARCH,"$PHP_BUILD_ARCH",[build architecture]) + fi + + PHP_SUBST_OLD(PHP_INSTALLED_SAPIS) +diff --git a/ext/standard/info.c b/ext/standard/info.c +index 153cb6cde014..8ceef31d9fe4 100644 +--- a/ext/standard/info.c ++++ b/ext/standard/info.c +@@ -798,11 +798,11 @@ PHPAPI ZEND_COLD void php_print_info(int flag) + #ifdef PHP_BUILD_PROVIDER + php_info_print_table_row(2, "Build Provider", PHP_BUILD_PROVIDER); + #endif +-#ifdef COMPILER +- php_info_print_table_row(2, "Compiler", COMPILER); ++#ifdef PHP_BUILD_COMPILER ++ php_info_print_table_row(2, "Compiler", PHP_BUILD_COMPILER); + #endif +-#ifdef ARCHITECTURE +- php_info_print_table_row(2, "Architecture", ARCHITECTURE); ++#ifdef PHP_BUILD_ARCH ++ php_info_print_table_row(2, "Architecture", PHP_BUILD_ARCH); + #endif + #ifdef CONFIGURE_COMMAND + php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND ); +diff --git a/sapi/cli/php_cli.c b/sapi/cli/php_cli.c +index 5092fb0ffd68..9d296acec631 100644 +--- a/sapi/cli/php_cli.c ++++ b/sapi/cli/php_cli.c +@@ -640,12 +640,12 @@ static int do_cli(int argc, char **argv) /* {{{ */ + #else + "NTS " + #endif +-#ifdef COMPILER +- COMPILER ++#ifdef PHP_BUILD_COMPILER ++ PHP_BUILD_COMPILER + " " + #endif +-#ifdef ARCHITECTURE +- ARCHITECTURE ++#ifdef PHP_BUILD_ARCH ++ PHP_BUILD_ARCH + " " + #endif + #if ZEND_DEBUG + +diff -up ./ext/standard/info.c.phpinfo ./ext/standard/info.c +--- ./ext/standard/info.c.phpinfo 2020-07-21 10:49:31.000000000 +0200 ++++ ./ext/standard/info.c 2020-07-21 11:41:56.295633523 +0200 +@@ -804,9 +804,6 @@ PHPAPI ZEND_COLD void php_print_info(int + #ifdef PHP_BUILD_ARCH + php_info_print_table_row(2, "Architecture", PHP_BUILD_ARCH); + #endif +-#ifdef CONFIGURE_COMMAND +- php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND ); +-#endif + + if (sapi_module.pretty_name) { + php_info_print_table_row(2, "Server API", sapi_module.pretty_name ); +diff -up ./ext/standard/tests/general_functions/phpinfo.phpt.phpinfo ./ext/standard/tests/general_functions/phpinfo.phpt +--- ./ext/standard/tests/general_functions/phpinfo.phpt.phpinfo 2020-07-21 10:49:31.000000000 +0200 ++++ ./ext/standard/tests/general_functions/phpinfo.phpt 2020-07-21 11:41:56.296633522 +0200 +@@ -17,7 +17,6 @@ PHP Version => %s + + System => %s + Build Date => %s%a +-Configure Command => %s + Server API => Command Line Interface + Virtual Directory Support => %s + Configuration File (php.ini) Path => %s +diff -up ./sapi/cli/php_cli.c.phpinfo ./sapi/cli/php_cli.c +--- ./sapi/cli/php_cli.c.phpinfo 2020-07-21 11:43:38.812475300 +0200 ++++ ./sapi/cli/php_cli.c 2020-07-21 11:43:45.783464540 +0200 +@@ -641,8 +641,7 @@ static int do_cli(int argc, char **argv) + "NTS " + #endif + #ifdef PHP_BUILD_COMPILER +- PHP_BUILD_COMPILER +- " " ++ "gcc " + #endif + #ifdef PHP_BUILD_ARCH + PHP_BUILD_ARCH diff --git a/php-8.0.10-phar-sha.patch b/php-8.0.10-phar-sha.patch new file mode 100644 index 0000000000000000000000000000000000000000..7d6fa2c24b4e71a0dc0555058356e21de2dd0bd4 --- /dev/null +++ b/php-8.0.10-phar-sha.patch @@ -0,0 +1,515 @@ +Backported for 8.0 from + + +From 8bb0c74e24359a11216824117ac3adf3d5ef7b71 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 5 Aug 2021 11:10:15 +0200 +Subject: [PATCH] switch phar to use sha256 signature by default + +--- + ext/phar/phar/pharcommand.inc | 2 +- + ext/phar/tests/create_new_and_modify.phpt | 4 ++-- + ext/phar/tests/create_new_phar_c.phpt | 4 ++-- + ext/phar/tests/phar_setsignaturealgo2.phpt | 2 +- + ext/phar/tests/tar/phar_setsignaturealgo2.phpt | 2 +- + ext/phar/tests/zip/phar_setsignaturealgo2.phpt | 2 +- + ext/phar/util.c | 6 +++--- + ext/phar/zip.c | 2 +- + 8 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/ext/phar/phar/pharcommand.inc b/ext/phar/phar/pharcommand.inc +index a31290eee75fe..5f698b4bec26b 100644 +--- a/ext/phar/phar/pharcommand.inc ++++ b/ext/phar/phar/pharcommand.inc +@@ -92,7 +92,7 @@ class PharCommand extends CLICommand + 'typ' => 'select', + 'val' => NULL, + 'inf' => ' Selects the hash algorithm.', +- 'select' => array('md5' => 'MD5','sha1' => 'SHA1') ++ 'select' => array('md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL') + ), + 'i' => array( + 'typ' => 'regex', +diff --git a/ext/phar/tests/create_new_and_modify.phpt b/ext/phar/tests/create_new_and_modify.phpt +index 02e36c6cea2fe..32defcae8a639 100644 +--- a/ext/phar/tests/create_new_and_modify.phpt ++++ b/ext/phar/tests/create_new_and_modify.phpt +@@ -49,8 +49,8 @@ include $pname . '/b.php'; + + --EXPECTF-- + brand new! +-string(40) "%s" +-string(40) "%s" ++string(%d) "%s" ++string(%d) "%s" + bool(true) + modified! + another! +diff --git a/ext/phar/tests/create_new_phar_c.phpt b/ext/phar/tests/create_new_phar_c.phpt +index 566d3c4d5f8ad..bf6d740fd1d10 100644 +--- a/ext/phar/tests/create_new_phar_c.phpt ++++ b/ext/phar/tests/create_new_phar_c.phpt +@@ -20,7 +20,7 @@ var_dump($phar->getSignature()); + --EXPECTF-- + array(2) { + ["hash"]=> +- string(40) "%s" ++ string(64) "%s" + ["hash_type"]=> +- string(5) "SHA-1" ++ string(7) "SHA-256" + } +diff --git a/ext/phar/tests/phar_setsignaturealgo2.phpt b/ext/phar/tests/phar_setsignaturealgo2.phpt +index 293d3196713d8..4f31836fbbbcc 100644 +--- a/ext/phar/tests/phar_setsignaturealgo2.phpt ++++ b/ext/phar/tests/phar_setsignaturealgo2.phpt +@@ -52,7 +52,7 @@ array(2) { + ["hash"]=> + string(%d) "%s" + ["hash_type"]=> +- string(5) "SHA-1" ++ string(7) "SHA-256" + } + array(2) { + ["hash"]=> +diff --git a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt +index 9923ac5c88476..cc10a241d739b 100644 +--- a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt ++++ b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt +@@ -51,7 +51,7 @@ array(2) { + ["hash"]=> + string(%d) "%s" + ["hash_type"]=> +- string(5) "SHA-1" ++ string(7) "SHA-256" + } + array(2) { + ["hash"]=> +diff --git a/ext/phar/tests/zip/phar_setsignaturealgo2.phpt b/ext/phar/tests/zip/phar_setsignaturealgo2.phpt +index 8de77479d7825..60fec578ee894 100644 +--- a/ext/phar/tests/zip/phar_setsignaturealgo2.phpt ++++ b/ext/phar/tests/zip/phar_setsignaturealgo2.phpt +@@ -78,7 +78,7 @@ array(2) { + ["hash"]=> + string(%d) "%s" + ["hash_type"]=> +- string(5) "SHA-1" ++ string(7) "SHA-256" + } + array(2) { + ["hash"]=> +diff --git a/ext/phar/util.c b/ext/phar/util.c +index 314acfe81a788..8d2db03b69601 100644 +--- a/ext/phar/util.c ++++ b/ext/phar/util.c +@@ -1798,6 +1798,8 @@ int phar_create_signature(phar_archive_d + *signature_length = 64; + break; + } ++ default: ++ phar->sig_flags = PHAR_SIG_SHA256; + case PHAR_SIG_SHA256: { + unsigned char digest[32]; + PHP_SHA256_CTX context; +@@ -1894,8 +1896,6 @@ int phar_create_signature(phar_archive_d + *signature_length = siglen; + } + break; +- default: +- phar->sig_flags = PHAR_SIG_SHA1; + case PHAR_SIG_SHA1: { + unsigned char digest[20]; + PHP_SHA1_CTX context; +diff --git a/ext/phar/zip.c b/ext/phar/zip.c +index 31d4bd2998215..c5e38cabf7b87 100644 +--- a/ext/phar/zip.c ++++ b/ext/phar/zip.c +@@ -1423,7 +1423,7 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, zend_long len, int + + memcpy(eocd.signature, "PK\5\6", 4); + if (!phar->is_data && !phar->sig_flags) { +- phar->sig_flags = PHAR_SIG_SHA1; ++ phar->sig_flags = PHAR_SIG_SHA256; + } + if (phar->sig_flags) { + PHAR_SET_16(eocd.counthere, zend_hash_num_elements(&phar->manifest) + 1); + +From c51af22fef988c1b2f92b7b9e3a9d745f7084815 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 5 Aug 2021 16:49:48 +0200 +Subject: [PATCH] implement openssl_256 and openssl_512 for phar singatures + +--- + ext/openssl/openssl.c | 1 + + ext/phar/phar.1.in | 10 +++- + ext/phar/phar.c | 8 +++- + ext/phar/phar/pharcommand.inc | 14 +++++- + ext/phar/phar_internal.h | 2 + + ext/phar/phar_object.c | 24 ++++++++-- + ext/phar/tests/files/openssl256.phar | Bin 0 -> 7129 bytes + ext/phar/tests/files/openssl256.phar.pubkey | 6 +++ + ext/phar/tests/files/openssl512.phar | Bin 0 -> 7129 bytes + ext/phar/tests/files/openssl512.phar.pubkey | 6 +++ + .../phar_get_supported_signatures_002a.phpt | 6 ++- + .../tests/tar/phar_setsignaturealgo2.phpt | 16 +++++++ + ext/phar/tests/test_signaturealgos.phpt | 8 ++++ + ext/phar/util.c | 45 ++++++++++++++---- + 14 files changed, 128 insertions(+), 18 deletions(-) + create mode 100644 ext/phar/tests/files/openssl256.phar + create mode 100644 ext/phar/tests/files/openssl256.phar.pubkey + create mode 100644 ext/phar/tests/files/openssl512.phar + create mode 100644 ext/phar/tests/files/openssl512.phar.pubkey + +diff --git a/ext/phar/phar.1.in b/ext/phar/phar.1.in +index 77912b241dfd5..323e77b0e2a3b 100644 +--- a/ext/phar/phar.1.in ++++ b/ext/phar/phar.1.in +@@ -475,7 +475,15 @@ SHA512 + .TP + .PD + .B openssl +-OpenSSL ++OpenSSL using SHA-1 ++.TP ++.PD ++.B openssl_sha256 ++OpenSSL using SHA-256 ++.TP ++.PD ++.B openssl_sha512 ++OpenSSL using SHA-512 + + .SH SEE ALSO + For a more or less complete description of PHAR look here: +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 77f21cef9da53..bc08e4edde05d 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -869,6 +869,8 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, size_t fname_len, ch + PHAR_GET_32(sig_ptr, sig_flags); + + switch(sig_flags) { ++ case PHAR_SIG_OPENSSL_SHA512: ++ case PHAR_SIG_OPENSSL_SHA256: + case PHAR_SIG_OPENSSL: { + uint32_t signature_len; + char *sig; +@@ -903,7 +905,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, size_t fname_len, ch + return FAILURE; + } + +- if (FAILURE == phar_verify_signature(fp, end_of_phar, PHAR_SIG_OPENSSL, sig, signature_len, fname, &signature, &sig_len, error)) { ++ if (FAILURE == phar_verify_signature(fp, end_of_phar, sig_flags, sig, signature_len, fname, &signature, &sig_len, error)) { + efree(savebuf); + efree(sig); + php_stream_close(fp); +@@ -3162,7 +3164,9 @@ int phar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int conv + + php_stream_write(newfile, digest, digest_len); + efree(digest); +- if (phar->sig_flags == PHAR_SIG_OPENSSL) { ++ if (phar->sig_flags == PHAR_SIG_OPENSSL || ++ phar->sig_flags == PHAR_SIG_OPENSSL_SHA256 || ++ phar->sig_flags == PHAR_SIG_OPENSSL_SHA512) { + phar_set_32(sig_buf, digest_len); + php_stream_write(newfile, sig_buf, 4); + } +diff --git a/ext/phar/phar/pharcommand.inc b/ext/phar/phar/pharcommand.inc +index 5f698b4bec26b..1b1eeca59c560 100644 +--- a/ext/phar/phar/pharcommand.inc ++++ b/ext/phar/phar/pharcommand.inc +@@ -92,7 +92,7 @@ class PharCommand extends CLICommand + 'typ' => 'select', + 'val' => NULL, + 'inf' => ' Selects the hash algorithm.', +- 'select' => array('md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL') ++ 'select' => ['md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL', 'openssl_sha256' => 'OPENSSL_SHA256', 'openssl_sha512' => 'OPENSSL_SHA512'] + ), + 'i' => array( + 'typ' => 'regex', +@@ -156,6 +156,8 @@ class PharCommand extends CLICommand + $hash_avail = Phar::getSupportedSignatures(); + $hash_optional = array('SHA-256' => 'SHA256', + 'SHA-512' => 'SHA512', ++ 'OpenSSL_sha256' => 'OpenSSL_SHA256', ++ 'OpenSSL_sha512' => 'OpenSSL_SHA512', + 'OpenSSL' => 'OpenSSL'); + if (!in_array('OpenSSL', $hash_avail)) { + unset($phar_args['y']); +@@ -429,6 +431,16 @@ class PharCommand extends CLICommand + self::error("Cannot use OpenSSL signing without key.\n"); + } + return Phar::OPENSSL; ++ case 'openssl_sha256': ++ if (!$privkey) { ++ self::error("Cannot use OpenSSL signing without key.\n"); ++ } ++ return Phar::OPENSSL_SHA256; ++ case 'openssl_sha512': ++ if (!$privkey) { ++ self::error("Cannot use OpenSSL signing without key.\n"); ++ } ++ return Phar::OPENSSL_SHA512; + } + } + // }}} +diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h +index a9f81e2ab994a..30b408a8c4462 100644 +--- a/ext/phar/phar_internal.h ++++ b/ext/phar/phar_internal.h +@@ -88,6 +88,8 @@ + #define PHAR_SIG_SHA256 0x0003 + #define PHAR_SIG_SHA512 0x0004 + #define PHAR_SIG_OPENSSL 0x0010 ++#define PHAR_SIG_OPENSSL_SHA256 0x0011 ++#define PHAR_SIG_OPENSSL_SHA512 0x0012 + + /* flags byte for each file adheres to these bitmasks. + All unused values are reserved */ +diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c +index 9c1e5f2fa1eef..c05970e657f18 100644 +--- a/ext/phar/phar_object.c ++++ b/ext/phar/phar_object.c +@@ -1246,9 +1246,13 @@ PHP_METHOD(Phar, getSupportedSignatures) + add_next_index_stringl(return_value, "SHA-512", 7); + #ifdef PHAR_HAVE_OPENSSL + add_next_index_stringl(return_value, "OpenSSL", 7); ++ add_next_index_stringl(return_value, "OpenSSL_SHA256", 14); ++ add_next_index_stringl(return_value, "OpenSSL_SHA512", 14); + #else + if (zend_hash_str_exists(&module_registry, "openssl", sizeof("openssl")-1)) { + add_next_index_stringl(return_value, "OpenSSL", 7); ++ add_next_index_stringl(return_value, "OpenSSL_SHA256", 14); ++ add_next_index_stringl(return_value, "OpenSSL_SHA512", 14); + } + #endif + } +@@ -3028,6 +3032,8 @@ PHP_METHOD(Phar, setSignatureAlgorithm) + case PHAR_SIG_MD5: + case PHAR_SIG_SHA1: + case PHAR_SIG_OPENSSL: ++ case PHAR_SIG_OPENSSL_SHA256: ++ case PHAR_SIG_OPENSSL_SHA512: + if (phar_obj->archive->is_persistent && FAILURE == phar_copy_on_write(&(phar_obj->archive))) { + zend_throw_exception_ex(phar_ce_PharException, 0, "phar \"%s\" is persistent, unable to copy on write", phar_obj->archive->fname); + RETURN_THROWS(); +@@ -3066,19 +3072,25 @@ PHP_METHOD(Phar, getSignature) + add_assoc_stringl(return_value, "hash", phar_obj->archive->signature, phar_obj->archive->sig_len); + switch(phar_obj->archive->sig_flags) { + case PHAR_SIG_MD5: +- add_assoc_stringl(return_value, "hash_type", "MD5", 3); ++ add_assoc_string(return_value, "hash_type", "MD5"); + break; + case PHAR_SIG_SHA1: +- add_assoc_stringl(return_value, "hash_type", "SHA-1", 5); ++ add_assoc_string(return_value, "hash_type", "SHA-1"); + break; + case PHAR_SIG_SHA256: +- add_assoc_stringl(return_value, "hash_type", "SHA-256", 7); ++ add_assoc_string(return_value, "hash_type", "SHA-256"); + break; + case PHAR_SIG_SHA512: +- add_assoc_stringl(return_value, "hash_type", "SHA-512", 7); ++ add_assoc_string(return_value, "hash_type", "SHA-512"); + break; + case PHAR_SIG_OPENSSL: +- add_assoc_stringl(return_value, "hash_type", "OpenSSL", 7); ++ add_assoc_string(return_value, "hash_type", "OpenSSL"); ++ break; ++ case PHAR_SIG_OPENSSL_SHA256: ++ add_assoc_string(return_value, "hash_type", "OpenSSL_SHA256"); ++ break; ++ case PHAR_SIG_OPENSSL_SHA512: ++ add_assoc_string(return_value, "hash_type", "OpenSSL_SHA512"); + break; + default: + unknown = strpprintf(0, "Unknown (%u)", phar_obj->archive->sig_flags); +@@ -5103,6 +5115,8 @@ void phar_object_init(void) /* {{{ */ + REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "PHPS", PHAR_MIME_PHPS) + REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "MD5", PHAR_SIG_MD5) + REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL", PHAR_SIG_OPENSSL) ++ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL_SHA256", PHAR_SIG_OPENSSL_SHA256) ++ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL_SHA512", PHAR_SIG_OPENSSL_SHA512) + REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA1", PHAR_SIG_SHA1) + REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA256", PHAR_SIG_SHA256) + REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA512", PHAR_SIG_SHA512) +diff --git a/ext/phar/tests/phar_get_supported_signatures_002a.phpt b/ext/phar/tests/phar_get_supported_signatures_002a.phpt +index 06d811f2c35c2..639143b3d2c90 100644 +--- a/ext/phar/tests/phar_get_supported_signatures_002a.phpt ++++ b/ext/phar/tests/phar_get_supported_signatures_002a.phpt +@@ -14,7 +14,7 @@ phar.readonly=0 + var_dump(Phar::getSupportedSignatures()); + ?> + --EXPECT-- +-array(5) { ++array(7) { + [0]=> + string(3) "MD5" + [1]=> +@@ -25,4 +25,8 @@ array(5) { + string(7) "SHA-512" + [4]=> + string(7) "OpenSSL" ++ [5]=> ++ string(14) "OpenSSL_SHA256" ++ [6]=> ++ string(14) "OpenSSL_SHA512" + } +diff --git a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt +index cc10a241d739b..c2eb5d77a5bf0 100644 +--- a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt ++++ b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt +@@ -38,6 +38,10 @@ $pkey = ''; + openssl_pkey_export($private, $pkey, NULL, $config_arg); + $p->setSignatureAlgorithm(Phar::OPENSSL, $pkey); + var_dump($p->getSignature()); ++$p->setSignatureAlgorithm(Phar::OPENSSL_SHA512, $pkey); ++var_dump($p->getSignature()); ++$p->setSignatureAlgorithm(Phar::OPENSSL_SHA256, $pkey); ++var_dump($p->getSignature()); + } catch (Exception $e) { + echo $e->getMessage(); + } +@@ -83,3 +87,15 @@ array(2) { + ["hash_type"]=> + string(7) "OpenSSL" + } ++array(2) { ++ ["hash"]=> ++ string(%d) "%s" ++ ["hash_type"]=> ++ string(14) "OpenSSL_SHA512" ++} ++array(2) { ++ ["hash"]=> ++ string(%d) "%s" ++ ["hash_type"]=> ++ string(14) "OpenSSL_SHA256" ++} +diff --git a/ext/phar/util.c b/ext/phar/util.c +index 8d2db03b69601..515830bf2c70a 100644 +--- a/ext/phar/util.c ++++ b/ext/phar/util.c +@@ -34,7 +34,7 @@ + #include + #include + #else +-static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len); ++static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, php_uint32 sig_type); + #endif + + /* for links to relative location, prepend cwd of the entry */ +@@ -1381,11 +1381,11 @@ static int phar_hex_str(const char *digest, size_t digest_len, char **signature) + /* }}} */ + + #ifndef PHAR_HAVE_OPENSSL +-static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len) /* {{{ */ ++static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, php_uint32 sig_type) /* {{{ */ + { + zend_fcall_info fci; + zend_fcall_info_cache fcc; +- zval retval, zp[3], openssl; ++ zval retval, zp[4], openssl; + zend_string *str; + + ZVAL_STRINGL(&openssl, is_sign ? "openssl_sign" : "openssl_verify", is_sign ? sizeof("openssl_sign")-1 : sizeof("openssl_verify")-1); +@@ -1402,6 +1402,14 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t + } else { + ZVAL_EMPTY_STRING(&zp[0]); + } ++ if (sig_type == PHAR_SIG_OPENSSL_SHA512) { ++ ZVAL_LONG(&zp[3], 9); /* value from openssl.c #define OPENSSL_ALGO_SHA512 9 */ ++ } else if (sig_type == PHAR_SIG_OPENSSL_SHA256) { ++ ZVAL_LONG(&zp[3], 7); /* value from openssl.c #define OPENSSL_ALGO_SHA256 7 */ ++ } else { ++ /* don't rely on default value which may change in the future */ ++ ZVAL_LONG(&zp[3], 1); /* value from openssl.c #define OPENSSL_ALGO_SHA1 1 */ ++ } + + if ((size_t)end != Z_STRLEN(zp[0])) { + zval_ptr_dtor_str(&zp[0]); +@@ -1419,7 +1427,7 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t + return FAILURE; + } + +- fci.param_count = 3; ++ fci.param_count = 4; + fci.params = zp; + Z_ADDREF(zp[0]); + if (is_sign) { +@@ -1482,12 +1490,22 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type, + php_stream_rewind(fp); + + switch (sig_type) { ++ case PHAR_SIG_OPENSSL_SHA512: ++ case PHAR_SIG_OPENSSL_SHA256: + case PHAR_SIG_OPENSSL: { + #ifdef PHAR_HAVE_OPENSSL + BIO *in; + EVP_PKEY *key; +- EVP_MD *mdtype = (EVP_MD *) EVP_sha1(); ++ const EVP_MD *mdtype; + EVP_MD_CTX *md_ctx; ++ ++ if (sig_type == PHAR_SIG_OPENSSL_SHA512) { ++ mdtype = EVP_sha512(); ++ } else if (sig_type == PHAR_SIG_OPENSSL_SHA256) { ++ mdtype = EVP_sha256(); ++ } else { ++ mdtype = EVP_sha1(); ++ } + #else + size_t tempsig; + #endif +@@ -1521,7 +1539,7 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type, + #ifndef PHAR_HAVE_OPENSSL + tempsig = sig_len; + +- if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, pubkey ? ZSTR_VAL(pubkey) : NULL, pubkey ? ZSTR_LEN(pubkey) : 0, &sig, &tempsig)) { ++ if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, pubkey ? ZSTR_VAL(pubkey) : NULL, pubkey ? ZSTR_LEN(pubkey) : 0, &sig, &tempsig, sig_type)) { + if (pubkey) { + zend_string_release_ex(pubkey, 0); + } +@@ -1815,6 +1833,8 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat + *signature_length = 32; + break; + } ++ case PHAR_SIG_OPENSSL_SHA512: ++ case PHAR_SIG_OPENSSL_SHA256: + case PHAR_SIG_OPENSSL: { + unsigned char *sigbuf; + #ifdef PHAR_HAVE_OPENSSL +@@ -1822,6 +1842,15 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat + BIO *in; + EVP_PKEY *key; + EVP_MD_CTX *md_ctx; ++ const EVP_MD *mdtype; ++ ++ if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA512) { ++ mdtype = EVP_sha512(); ++ } else if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA256) { ++ mdtype = EVP_sha256(); ++ } else { ++ mdtype = EVP_sha1(); ++ } + + in = BIO_new_mem_buf(PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len)); + +@@ -1847,7 +1876,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat + siglen = EVP_PKEY_size(key); + sigbuf = emalloc(siglen + 1); + +- if (!EVP_SignInit(md_ctx, EVP_sha1())) { ++ if (!EVP_SignInit(md_ctx, mdtype)) { + EVP_PKEY_free(key); + efree(sigbuf); + if (error) { +@@ -1885,7 +1914,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat + siglen = 0; + php_stream_seek(fp, 0, SEEK_END); + +- if (FAILURE == phar_call_openssl_signverify(1, fp, php_stream_tell(fp), PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len), (char **)&sigbuf, &siglen)) { ++ if (FAILURE == phar_call_openssl_signverify(1, fp, php_stream_tell(fp), PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len), (char **)&sigbuf, &siglen, phar->sig_flags)) { + if (error) { + spprintf(error, 0, "unable to write phar \"%s\" with requested openssl signature", phar->fname); + } diff --git a/php-8.0.10-snmp-sha.patch b/php-8.0.10-snmp-sha.patch new file mode 100644 index 0000000000000000000000000000000000000000..a48ad5f01495ca9ade29aabc409fc1dc72a6271a --- /dev/null +++ b/php-8.0.10-snmp-sha.patch @@ -0,0 +1,143 @@ +Backported for 8.0 from + + +From 718e91343fddb8817a004f96f111c424843bf746 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 11 Aug 2021 13:02:18 +0200 +Subject: [PATCH] add SHA256 and SHA512 for security protocol + +--- + ext/snmp/config.m4 | 18 +++++++++- + ext/snmp/snmp.c | 33 ++++++++++++++++++- + .../tests/snmp-object-setSecurity_error.phpt | 2 +- + ext/snmp/tests/snmp3-error.phpt | 2 +- + 4 files changed, 51 insertions(+), 4 deletions(-) + +diff --git a/ext/snmp/config.m4 b/ext/snmp/config.m4 +index 1475ddfe2b7f0..f285a572de9cb 100644 +--- a/ext/snmp/config.m4 ++++ b/ext/snmp/config.m4 +@@ -30,7 +30,7 @@ if test "$PHP_SNMP" != "no"; then + AC_MSG_ERROR([Could not find the required paths. Please check your net-snmp installation.]) + fi + else +- AC_MSG_ERROR([Net-SNMP version 5.3 or greater reqired (detected $snmp_full_version).]) ++ AC_MSG_ERROR([Net-SNMP version 5.3 or greater required (detected $snmp_full_version).]) + fi + else + AC_MSG_ERROR([Could not find net-snmp-config binary. Please check your net-snmp installation.]) +@@ -54,6 +54,22 @@ if test "$PHP_SNMP" != "no"; then + $SNMP_SHARED_LIBADD + ]) + ++ dnl Check whether usmHMAC192SHA256AuthProtocol exists. ++ PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC192SHA256AuthProtocol, ++ [ ++ AC_DEFINE(HAVE_SNMP_SHA256, 1, [ ]) ++ ], [], [ ++ $SNMP_SHARED_LIBADD ++ ]) ++ ++ dnl Check whether usmHMAC384SHA512AuthProtocol exists. ++ PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC384SHA512AuthProtocol, ++ [ ++ AC_DEFINE(HAVE_SNMP_SHA512, 1, [ ]) ++ ], [], [ ++ $SNMP_SHARED_LIBADD ++ ]) ++ + PHP_NEW_EXTENSION(snmp, snmp.c, $ext_shared) + PHP_SUBST(SNMP_SHARED_LIBADD) + fi +diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c +index 69d6549405b17..f0917501751f5 100644 +--- a/ext/snmp/snmp.c ++++ b/ext/snmp/snmp.c +@@ -29,6 +29,7 @@ + #include "php_snmp.h" + + #include "zend_exceptions.h" ++#include "zend_smart_string.h" + #include "ext/spl/spl_exceptions.h" + #include "snmp_arginfo.h" + +@@ -938,16 +939,48 @@ static int netsnmp_session_set_auth_protocol(struct snmp_session *s, char *prot) + if (!strcasecmp(prot, "MD5")) { + s->securityAuthProto = usmHMACMD5AuthProtocol; + s->securityAuthProtoLen = USM_AUTH_PROTO_MD5_LEN; +- } else ++ return 0; ++ } + #endif ++ + if (!strcasecmp(prot, "SHA")) { + s->securityAuthProto = usmHMACSHA1AuthProtocol; + s->securityAuthProtoLen = USM_AUTH_PROTO_SHA_LEN; +- } else { +- zend_value_error("Authentication protocol must be either \"MD5\" or \"SHA\""); +- return (-1); ++ return 0; + } +- return (0); ++ ++#ifdef HAVE_SNMP_SHA256 ++ if (!strcasecmp(prot, "SHA256")) { ++ s->securityAuthProto = usmHMAC192SHA256AuthProtocol; ++ s->securityAuthProtoLen = sizeof(usmHMAC192SHA256AuthProtocol) / sizeof(oid); ++ return 0; ++ } ++#endif ++ ++#ifdef HAVE_SNMP_SHA512 ++ if (!strcasecmp(prot, "SHA512")) { ++ s->securityAuthProto = usmHMAC384SHA512AuthProtocol; ++ s->securityAuthProtoLen = sizeof(usmHMAC384SHA512AuthProtocol) / sizeof(oid); ++ return 0; ++ } ++#endif ++ ++ smart_string err = {0}; ++ ++ smart_string_appends(&err, "Authentication protocol must be \"SHA\""); ++#ifdef HAVE_SNMP_SHA256 ++ smart_string_appends(&err, " or \"SHA256\""); ++#endif ++#ifdef HAVE_SNMP_SHA512 ++ smart_string_appends(&err, " or \"SHA512\""); ++#endif ++#ifndef DISABLE_MD5 ++ smart_string_appends(&err, " or \"MD5\""); ++#endif ++ smart_string_0(&err); ++ zend_value_error("%s", err.c); ++ smart_string_free(&err); ++ return -1; + } + /* }}} */ + +diff --git a/ext/snmp/tests/snmp-object-setSecurity_error.phpt b/ext/snmp/tests/snmp-object-setSecurity_error.phpt +index f8de846492a75..cf4f928837773 100644 +--- a/ext/snmp/tests/snmp-object-setSecurity_error.phpt ++++ b/ext/snmp/tests/snmp-object-setSecurity_error.phpt +@@ -59,7 +59,7 @@ var_dump($session->close()); + --EXPECTF-- + Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" + Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" +-Authentication protocol must be either "MD5" or "SHA" ++Authentication protocol must be %s + + Warning: SNMP::setSecurity(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d + bool(false) +diff --git a/ext/snmp/tests/snmp3-error.phpt b/ext/snmp/tests/snmp3-error.phpt +index 849e363b45058..389800dad6b28 100644 +--- a/ext/snmp/tests/snmp3-error.phpt ++++ b/ext/snmp/tests/snmp3-error.phpt +@@ -58,7 +58,7 @@ try { + Checking error handling + Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" + Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" +-Authentication protocol must be either "MD5" or "SHA" ++Authentication protocol must be %s + + Warning: snmp3_get(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d + bool(false) diff --git a/php-8.0.10-systzdata-v21.patch b/php-8.0.10-systzdata-v21.patch new file mode 100644 index 0000000000000000000000000000000000000000..779f538a3901367b993f740bcf0e59decad69503 --- /dev/null +++ b/php-8.0.10-systzdata-v21.patch @@ -0,0 +1,718 @@ +# License: MIT +# http://opensource.org/licenses/MIT + +Add support for use of the system timezone database, rather +than embedding a copy. Discussed upstream but was not desired. + +History: +r21: retrieve tzdata version from /usr/share/zoneinfo/tzdata.zi +r20: adapt for timelib 2020.03 (in 8.0.10RC1) +r19: adapt for timelib 2020.02 (in 8.0.0beta2) +r18: adapt for autotool change in 7.3.3RC1 +r17: adapt for timelib 2018.01 (in 7.3.2RC1) +r16: adapt for timelib 2017.06 (in 7.2.3RC1) +r15: adapt for timelib 2017.05beta7 (in 7.2.0RC1) +r14: improve check for valid tz file +r13: adapt for upstream changes to use PHP allocator +r12: adapt for upstream changes for new zic +r11: use canonical names to avoid more case sensitivity issues + round lat/long from zone.tab towards zero per builtin db +r10: make timezone case insensitive +r9: fix another compile error without --with-system-tzdata configured (Michael Heimpold) +r8: fix compile error without --with-system-tzdata configured +r7: improve check for valid timezone id to exclude directories +r6: fix fd leak in r5, fix country code/BC flag use in + timezone_identifiers_list() using system db, + fix use of PECL timezonedb to override system db, +r5: reverts addition of "System/Localtime" fake tzname. + updated for 5.3.0, parses zone.tab to pick up mapping between + timezone name, country code and long/lat coords +r4: added "System/Localtime" tzname which uses /etc/localtime +r3: fix a crash if /usr/share/zoneinfo doesn't exist (Raphael Geissert) +r2: add filesystem trawl to set up name alias index +r1: initial revision + +diff --git a/ext/date/config0.m4 b/ext/date/config0.m4 +index 20e4164aaa..a61243646d 100644 +--- a/ext/date/config0.m4 ++++ b/ext/date/config0.m4 +@@ -4,6 +4,19 @@ AC_CHECK_HEADERS([io.h]) + dnl Check for strtoll, atoll + AC_CHECK_FUNCS(strtoll atoll) + ++PHP_ARG_WITH(system-tzdata, for use of system timezone data, ++[ --with-system-tzdata[=DIR] to specify use of system timezone data], ++no, no) ++ ++if test "$PHP_SYSTEM_TZDATA" != "no"; then ++ AC_DEFINE(HAVE_SYSTEM_TZDATA, 1, [Define if system timezone data is used]) ++ ++ if test "$PHP_SYSTEM_TZDATA" != "yes"; then ++ AC_DEFINE_UNQUOTED(HAVE_SYSTEM_TZDATA_PREFIX, "$PHP_SYSTEM_TZDATA", ++ [Define for location of system timezone data]) ++ fi ++fi ++ + PHP_DATE_CFLAGS="-I@ext_builddir@/lib -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -DHAVE_TIMELIB_CONFIG_H=1" + timelib_sources="lib/astro.c lib/dow.c lib/parse_date.c lib/parse_tz.c + lib/timelib.c lib/tm2unixtime.c lib/unixtime2tm.c lib/parse_iso_intervals.c lib/interval.c" +diff --git a/ext/date/lib/parse_tz.c b/ext/date/lib/parse_tz.c +index e9bd0f136d..c04ff01adc 100644 +--- a/ext/date/lib/parse_tz.c ++++ b/ext/date/lib/parse_tz.c +@@ -26,8 +26,21 @@ + #include "timelib.h" + #include "timelib_private.h" + ++#ifdef HAVE_SYSTEM_TZDATA ++#include ++#include ++#include ++#include ++#include ++ ++#include "php_scandir.h" ++ ++#else + #define TIMELIB_SUPPORTS_V2DATA + #include "timezonedb.h" ++#endif ++ ++#include + + #if (defined(__APPLE__) || defined(__APPLE_CC__)) && (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__)) + # if defined(__LITTLE_ENDIAN__) +@@ -94,6 +107,11 @@ static int read_php_preamble(const unsigned char **tzf, timelib_tzinfo *tz) + { + uint32_t version; + ++ if (memcmp(*tzf, "TZif", 4) == 0) { ++ *tzf += 20; ++ return 0; ++ } ++ + /* read ID */ + version = (*tzf)[3] - '0'; + *tzf += 4; +@@ -435,7 +453,467 @@ void timelib_dump_tzinfo(timelib_tzinfo *tz) + } + } + +-static int seek_to_tz_position(const unsigned char **tzf, const char *timezone, const timelib_tzdb *tzdb) ++#ifdef HAVE_SYSTEM_TZDATA ++ ++#ifdef HAVE_SYSTEM_TZDATA_PREFIX ++#define ZONEINFO_PREFIX HAVE_SYSTEM_TZDATA_PREFIX ++#else ++#define ZONEINFO_PREFIX "/usr/share/zoneinfo" ++#endif ++ ++/* System timezone database pointer. */ ++static const timelib_tzdb *timezonedb_system; ++ ++/* Hash table entry for the cache of the zone.tab mapping table. */ ++struct location_info { ++ char code[2]; ++ double latitude, longitude; ++ char name[64]; ++ char *comment; ++ struct location_info *next; ++}; ++ ++/* Cache of zone.tab. */ ++static struct location_info **system_location_table; ++ ++/* Size of the zone.tab hash table; a random-ish prime big enough to ++ * prevent too many collisions. */ ++#define LOCINFO_HASH_SIZE (1021) ++ ++/* Compute a case insensitive hash of str */ ++static uint32_t tz_hash(const char *str) ++{ ++ const unsigned char *p = (const unsigned char *)str; ++ uint32_t hash = 5381; ++ int c; ++ ++ while ((c = tolower(*p++)) != '\0') { ++ hash = (hash << 5) ^ hash ^ c; ++ } ++ ++ return hash % LOCINFO_HASH_SIZE; ++} ++ ++/* Parse an ISO-6709 date as used in zone.tab. Returns end of the ++ * parsed string on success, or NULL on parse error. On success, ++ * writes the parsed number to *result. */ ++static char *parse_iso6709(char *p, double *result) ++{ ++ double v, sign; ++ char *pend; ++ size_t len; ++ ++ if (*p == '+') ++ sign = 1.0; ++ else if (*p == '-') ++ sign = -1.0; ++ else ++ return NULL; ++ ++ p++; ++ for (pend = p; *pend >= '0' && *pend <= '9'; pend++) ++ ;; ++ ++ /* Annoying encoding used by zone.tab has no decimal point, so use ++ * the length to determine the format: ++ * ++ * 4 = DDMM ++ * 5 = DDDMM ++ * 6 = DDMMSS ++ * 7 = DDDMMSS ++ */ ++ len = pend - p; ++ if (len < 4 || len > 7) { ++ return NULL; ++ } ++ ++ /* p => [D]DD */ ++ v = (p[0] - '0') * 10.0 + (p[1] - '0'); ++ p += 2; ++ if (len == 5 || len == 7) ++ v = v * 10.0 + (*p++ - '0'); ++ /* p => MM[SS] */ ++ v += (10.0 * (p[0] - '0') ++ + p[1] - '0') / 60.0; ++ p += 2; ++ /* p => [SS] */ ++ if (len > 5) { ++ v += (10.0 * (p[0] - '0') ++ + p[1] - '0') / 3600.0; ++ p += 2; ++ } ++ ++ /* Round to five decimal place, not because it's a good idea, ++ * but, because the builtin data uses rounded data, so, match ++ * that. */ ++ *result = trunc(v * sign * 100000.0) / 100000.0; ++ ++ return p; ++} ++ ++/* This function parses the zone.tab file to build up the mapping of ++ * timezone to country code and geographic location, and returns a ++ * hash table. The hash table is indexed by the function: ++ * ++ * tz_hash(timezone-name) ++ */ ++static struct location_info **create_location_table(void) ++{ ++ struct location_info **li, *i; ++ char zone_tab[PATH_MAX]; ++ char line[512]; ++ FILE *fp; ++ ++ strncpy(zone_tab, ZONEINFO_PREFIX "/zone.tab", sizeof zone_tab); ++ ++ fp = fopen(zone_tab, "r"); ++ if (!fp) { ++ return NULL; ++ } ++ ++ li = calloc(LOCINFO_HASH_SIZE, sizeof *li); ++ ++ while (fgets(line, sizeof line, fp)) { ++ char *p = line, *code, *name, *comment; ++ uint32_t hash; ++ double latitude, longitude; ++ ++ while (isspace(*p)) ++ p++; ++ ++ if (*p == '#' || *p == '\0' || *p == '\n') ++ continue; ++ ++ if (!isalpha(p[0]) || !isalpha(p[1]) || p[2] != '\t') ++ continue; ++ ++ /* code => AA */ ++ code = p; ++ p[2] = 0; ++ p += 3; ++ ++ /* coords => [+-][D]DDMM[SS][+-][D]DDMM[SS] */ ++ p = parse_iso6709(p, &latitude); ++ if (!p) { ++ continue; ++ } ++ p = parse_iso6709(p, &longitude); ++ if (!p) { ++ continue; ++ } ++ ++ if (!p || *p != '\t') { ++ continue; ++ } ++ ++ /* name = string */ ++ name = ++p; ++ while (*p != '\t' && *p && *p != '\n') ++ p++; ++ ++ *p++ = '\0'; ++ ++ /* comment = string */ ++ comment = p; ++ while (*p != '\t' && *p && *p != '\n') ++ p++; ++ ++ if (*p == '\n' || *p == '\t') ++ *p = '\0'; ++ ++ hash = tz_hash(name); ++ i = malloc(sizeof *i); ++ memcpy(i->code, code, 2); ++ strncpy(i->name, name, sizeof i->name); ++ i->comment = strdup(comment); ++ i->longitude = longitude; ++ i->latitude = latitude; ++ i->next = li[hash]; ++ li[hash] = i; ++ /* printf("%s [%u, %f, %f]\n", name, hash, latitude, longitude); */ ++ } ++ ++ fclose(fp); ++ ++ return li; ++} ++ ++/* Return location info from hash table, using given timezone name. ++ * Returns NULL if the name could not be found. */ ++const struct location_info *find_zone_info(struct location_info **li, ++ const char *name) ++{ ++ uint32_t hash = tz_hash(name); ++ const struct location_info *l; ++ ++ if (!li) { ++ return NULL; ++ } ++ ++ for (l = li[hash]; l; l = l->next) { ++ if (timelib_strcasecmp(l->name, name) == 0) ++ return l; ++ } ++ ++ return NULL; ++} ++ ++/* Filter out some non-tzdata files and the posix/right databases, if ++ * present. */ ++static int index_filter(const struct dirent *ent) ++{ ++ return strcmp(ent->d_name, ".") != 0 ++ && strcmp(ent->d_name, "..") != 0 ++ && strcmp(ent->d_name, "posix") != 0 ++ && strcmp(ent->d_name, "posixrules") != 0 ++ && strcmp(ent->d_name, "right") != 0 ++ && strstr(ent->d_name, ".list") == NULL ++ && strstr(ent->d_name, ".tab") == NULL; ++} ++ ++static int sysdbcmp(const void *first, const void *second) ++{ ++ const timelib_tzdb_index_entry *alpha = first, *beta = second; ++ ++ return timelib_strcasecmp(alpha->id, beta->id); ++} ++ ++ ++/* Retrieve tzdata version. */ ++static void retrieve_zone_version(timelib_tzdb *db) ++{ ++ static char buf[30]; ++ char path[PATH_MAX]; ++ FILE *fp; ++ ++ strncpy(path, ZONEINFO_PREFIX "/tzdata.zi", sizeof(path)); ++ ++ fp = fopen(path, "r"); ++ if (fp) { ++ if (fgets(buf, sizeof(buf), fp)) { ++ if (!memcmp(buf, "# version ", 10) && ++ isdigit(buf[10]) && ++ isdigit(buf[11]) && ++ isdigit(buf[12]) && ++ isdigit(buf[13]) && ++ islower(buf[14])) { ++ if (buf[14] >= 't') { /* 2022t = 2022.20 */ ++ buf[17] = 0; ++ buf[16] = buf[14] - 't' + '0'; ++ buf[15] = '2'; ++ } else if (buf[14] >= 'j') { /* 2022j = 2022.10 */ ++ buf[17] = 0; ++ buf[16] = buf[14] - 'j' + '0'; ++ buf[15] = '1'; ++ } else { /* 2022a = 2022.1 */ ++ buf[16] = 0; ++ buf[15] = buf[14] - 'a' + '1'; ++ } ++ buf[14] = '.'; ++ db->version = buf+10; ++ } ++ } ++ fclose(fp); ++ } ++} ++ ++/* Create the zone identifier index by trawling the filesystem. */ ++static void create_zone_index(timelib_tzdb *db) ++{ ++ size_t dirstack_size, dirstack_top; ++ size_t index_size, index_next; ++ timelib_tzdb_index_entry *db_index; ++ char **dirstack; ++ ++ /* LIFO stack to hold directory entries to scan; each slot is a ++ * directory name relative to the zoneinfo prefix. */ ++ dirstack_size = 32; ++ dirstack = malloc(dirstack_size * sizeof *dirstack); ++ dirstack_top = 1; ++ dirstack[0] = strdup(""); ++ ++ /* Index array. */ ++ index_size = 64; ++ db_index = malloc(index_size * sizeof *db_index); ++ index_next = 0; ++ ++ do { ++ struct dirent **ents; ++ char name[PATH_MAX], *top; ++ int count; ++ ++ /* Pop the top stack entry, and iterate through its contents. */ ++ top = dirstack[--dirstack_top]; ++ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s", top); ++ ++ count = php_scandir(name, &ents, index_filter, php_alphasort); ++ ++ while (count > 0) { ++ struct stat st; ++ const char *leaf = ents[count - 1]->d_name; ++ ++ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s/%s", ++ top, leaf); ++ ++ if (strlen(name) && stat(name, &st) == 0) { ++ /* Name, relative to the zoneinfo prefix. */ ++ const char *root = top; ++ ++ if (root[0] == '/') root++; ++ ++ snprintf(name, sizeof name, "%s%s%s", root, ++ *root ? "/": "", leaf); ++ ++ if (S_ISDIR(st.st_mode)) { ++ if (dirstack_top == dirstack_size) { ++ dirstack_size *= 2; ++ dirstack = realloc(dirstack, ++ dirstack_size * sizeof *dirstack); ++ } ++ dirstack[dirstack_top++] = strdup(name); ++ } ++ else { ++ if (index_next == index_size) { ++ index_size *= 2; ++ db_index = realloc(db_index, ++ index_size * sizeof *db_index); ++ } ++ ++ db_index[index_next++].id = strdup(name); ++ } ++ } ++ ++ free(ents[--count]); ++ } ++ ++ if (count != -1) free(ents); ++ free(top); ++ } while (dirstack_top); ++ ++ qsort(db_index, index_next, sizeof *db_index, sysdbcmp); ++ ++ db->index = db_index; ++ db->index_size = index_next; ++ ++ free(dirstack); ++} ++ ++#define FAKE_HEADER "1234\0??\1??" ++#define FAKE_UTC_POS (7 - 4) ++ ++/* Create a fake data segment for database 'sysdb'. */ ++static void fake_data_segment(timelib_tzdb *sysdb, ++ struct location_info **info) ++{ ++ size_t n; ++ char *data, *p; ++ ++ data = malloc(3 * sysdb->index_size + 7); ++ ++ p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1); ++ ++ for (n = 0; n < sysdb->index_size; n++) { ++ const struct location_info *li; ++ timelib_tzdb_index_entry *ent; ++ ++ ent = (timelib_tzdb_index_entry *)&sysdb->index[n]; ++ ++ /* Lookup the timezone name in the hash table. */ ++ if (strcmp(ent->id, "UTC") == 0) { ++ ent->pos = FAKE_UTC_POS; ++ continue; ++ } ++ ++ li = find_zone_info(info, ent->id); ++ if (li) { ++ /* If found, append the BC byte and the ++ * country code; set the position for this ++ * section of timezone data. */ ++ ent->pos = (p - data) - 4; ++ *p++ = '\1'; ++ *p++ = li->code[0]; ++ *p++ = li->code[1]; ++ } ++ else { ++ /* If not found, the timezone data can ++ * point at the header. */ ++ ent->pos = 0; ++ } ++ } ++ ++ sysdb->data = (unsigned char *)data; ++} ++ ++/* Returns true if the passed-in stat structure describes a ++ * probably-valid timezone file. */ ++static int is_valid_tzfile(const struct stat *st, int fd) ++{ ++ if (fd) { ++ char buf[20]; ++ if (read(fd, buf, 20)!=20) { ++ return 0; ++ } ++ lseek(fd, SEEK_SET, 0); ++ if (memcmp(buf, "TZif", 4)) { ++ return 0; ++ } ++ } ++ return S_ISREG(st->st_mode) && st->st_size > 20; ++} ++ ++/* To allow timezone names to be used case-insensitively, find the ++ * canonical name for this timezone, if possible. */ ++static const char *canonical_tzname(const char *timezone) ++{ ++ if (timezonedb_system) { ++ timelib_tzdb_index_entry *ent, lookup; ++ ++ lookup.id = (char *)timezone; ++ ++ ent = bsearch(&lookup, timezonedb_system->index, ++ timezonedb_system->index_size, sizeof lookup, ++ sysdbcmp); ++ if (ent) { ++ return ent->id; ++ } ++ } ++ ++ return timezone; ++} ++ ++/* Return the mmap()ed tzfile if found, else NULL. On success, the ++ * length of the mapped data is placed in *length. */ ++static char *map_tzfile(const char *timezone, size_t *length) ++{ ++ char fname[PATH_MAX]; ++ struct stat st; ++ char *p; ++ int fd; ++ ++ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { ++ return NULL; ++ } ++ ++ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); ++ ++ fd = open(fname, O_RDONLY); ++ if (fd == -1) { ++ return NULL; ++ } else if (fstat(fd, &st) != 0 || !is_valid_tzfile(&st, fd)) { ++ close(fd); ++ return NULL; ++ } ++ ++ *length = st.st_size; ++ p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); ++ close(fd); ++ ++ return p != MAP_FAILED ? p : NULL; ++} ++ ++#endif ++ ++static int inmem_seek_to_tz_position(const unsigned char **tzf, const char *timezone, const timelib_tzdb *tzdb) + { + int left = 0, right = tzdb->index_size - 1; + +@@ -461,9 +939,49 @@ static int seek_to_tz_position(const unsigned char **tzf, const char *timezone, + return 0; + } + ++static int seek_to_tz_position(const unsigned char **tzf, const char *timezone, ++ char **map, size_t *maplen, ++ const timelib_tzdb *tzdb) ++{ ++#ifdef HAVE_SYSTEM_TZDATA ++ if (tzdb == timezonedb_system) { ++ char *orig; ++ ++ orig = map_tzfile(timezone, maplen); ++ if (orig == NULL) { ++ return 0; ++ } ++ ++ (*tzf) = (unsigned char *)orig; ++ *map = orig; ++ return 1; ++ } ++ else ++#endif ++ { ++ return inmem_seek_to_tz_position(tzf, timezone, tzdb); ++ } ++} ++ + const timelib_tzdb *timelib_builtin_db(void) + { ++#ifdef HAVE_SYSTEM_TZDATA ++ if (timezonedb_system == NULL) { ++ timelib_tzdb *tmp = malloc(sizeof *tmp); ++ ++ tmp->version = "0.system"; ++ tmp->data = NULL; ++ create_zone_index(tmp); ++ retrieve_zone_version(tmp); ++ system_location_table = create_location_table(); ++ fake_data_segment(tmp, system_location_table); ++ timezonedb_system = tmp; ++ } ++ ++ return timezonedb_system; ++#else + return &timezonedb_builtin; ++#endif + } + + const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_tzdb *tzdb, int *count) +@@ -475,7 +993,30 @@ const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_ + int timelib_timezone_id_is_valid(const char *timezone, const timelib_tzdb *tzdb) + { + const unsigned char *tzf; +- return (seek_to_tz_position(&tzf, timezone, tzdb)); ++ ++#ifdef HAVE_SYSTEM_TZDATA ++ if (tzdb == timezonedb_system) { ++ char fname[PATH_MAX]; ++ struct stat st; ++ ++ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { ++ return 0; ++ } ++ ++ if (system_location_table) { ++ if (find_zone_info(system_location_table, timezone) != NULL) { ++ /* found in cache */ ++ return 1; ++ } ++ } ++ ++ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); ++ ++ return stat(fname, &st) == 0 && is_valid_tzfile(&st, 0); ++ } ++#endif ++ ++ return (inmem_seek_to_tz_position(&tzf, timezone, tzdb)); + } + + static int skip_64bit_preamble(const unsigned char **tzf, timelib_tzinfo *tz) +@@ -517,6 +1058,8 @@ static timelib_tzinfo* timelib_tzinfo_ctor(const char *name) + timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *tzdb, int *error_code) + { + const unsigned char *tzf; ++ char *memmap = NULL; ++ size_t maplen; + timelib_tzinfo *tmp; + int version; + int transitions_result, types_result; +@@ -524,7 +1067,7 @@ timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *t + + *error_code = TIMELIB_ERROR_NO_ERROR; + +- if (seek_to_tz_position(&tzf, timezone, tzdb)) { ++ if (seek_to_tz_position(&tzf, timezone, &memmap, &maplen, tzdb)) { + tmp = timelib_tzinfo_ctor(timezone); + + version = read_preamble(&tzf, tmp, &type); +@@ -563,11 +1106,36 @@ timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *t + } + skip_posix_string(&tzf, tmp); + ++#ifdef HAVE_SYSTEM_TZDATA ++ if (memmap) { ++ const struct location_info *li; ++ ++ /* TZif-style - grok the location info from the system database, ++ * if possible. */ ++ ++ if ((li = find_zone_info(system_location_table, timezone)) != NULL) { ++ tmp->location.comments = timelib_strdup(li->comment); ++ strncpy(tmp->location.country_code, li->code, 2); ++ tmp->location.longitude = li->longitude; ++ tmp->location.latitude = li->latitude; ++ tmp->bc = 1; ++ } ++ else { ++ set_default_location_and_comments(&tzf, tmp); ++ } ++ ++ /* Now done with the mmap segment - discard it. */ ++ munmap(memmap, maplen); ++ } else { ++#endif + if (type == TIMELIB_TZINFO_PHP) { + read_location(&tzf, tmp); + } else { + set_default_location_and_comments(&tzf, tmp); + } ++#ifdef HAVE_SYSTEM_TZDATA ++ } ++#endif + } else { + *error_code = TIMELIB_ERROR_NO_SUCH_TIMEZONE; + tmp = NULL; +diff --git a/ext/date/php_date.c b/ext/date/php_date.c +index 2d5cffb963..389f09f313 100644 +--- a/ext/date/php_date.c ++++ b/ext/date/php_date.c +@@ -457,7 +457,11 @@ PHP_MINFO_FUNCTION(date) + php_info_print_table_row(2, "date/time support", "enabled"); + php_info_print_table_row(2, "timelib version", TIMELIB_ASCII_VERSION); + php_info_print_table_row(2, "\"Olson\" Timezone Database Version", tzdb->version); ++#ifdef HAVE_SYSTEM_TZDATA ++ php_info_print_table_row(2, "Timezone Database", "system"); ++#else + php_info_print_table_row(2, "Timezone Database", php_date_global_timezone_db_enabled ? "external" : "internal"); ++#endif + php_info_print_table_row(2, "Default timezone", guess_timezone(tzdb)); + php_info_print_table_end(); + diff --git a/php-8.0.13-crypt.patch b/php-8.0.13-crypt.patch new file mode 100644 index 0000000000000000000000000000000000000000..31a8c8a4616ac1e3c0810b9c1658c0a14ff1443b --- /dev/null +++ b/php-8.0.13-crypt.patch @@ -0,0 +1,45 @@ +From fc4e31467c352032ee709ac55d3c67bc22abcd8d Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Fri, 15 Oct 2021 17:11:12 +0200 +Subject: [PATCH] add --with-external-libcrypt build option display an error + message if some algo not available in external libcrypt + +--- + ext/standard/config.m4 | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/ext/standard/config.m4 b/ext/standard/config.m4 +index 58b9c5e658a4..3ec18be4d7df 100644 +--- a/ext/standard/config.m4 ++++ b/ext/standard/config.m4 +@@ -267,14 +267,25 @@ int main() { + ])]) + + ++PHP_ARG_WITH([external-libcrypt], ++ [for external libcrypt or libxcrypt], ++ [AS_HELP_STRING([--with-external-libcrypt], ++ [Use external libcrypt or libxcrypt])], ++ [no], ++ [no]) ++ + dnl + dnl If one of them is missing, use our own implementation, portable code is then possible + dnl +-dnl TODO This is currently always enabled +-if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "$ac_cv_crypt_md5" = "no" || test "$ac_cv_crypt_sha512" = "no" || test "$ac_cv_crypt_sha256" = "no" || test "$ac_cv_func_crypt_r" != "yes" || true; then +- AC_DEFINE_UNQUOTED(PHP_USE_PHP_CRYPT_R, 1, [Whether PHP has to use its own crypt_r for blowfish, des, ext des and md5]) +- +- PHP_ADD_SOURCES(PHP_EXT_DIR(standard), crypt_freesec.c crypt_blowfish.c crypt_sha512.c crypt_sha256.c php_crypt_r.c) ++dnl This is currently enabled by default ++if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "$ac_cv_crypt_md5" = "no" || test "$ac_cv_crypt_sha512" = "no" || test "$ac_cv_crypt_sha256" = "no" || test "$ac_cv_func_crypt_r" != "yes" || test "$PHP_EXTERNAL_LIBCRYPT" = "no"; then ++ if test "$PHP_EXTERNAL_LIBCRYPT" = "no"; then ++ AC_DEFINE_UNQUOTED(PHP_USE_PHP_CRYPT_R, 1, [Whether PHP has to use its own crypt_r for blowfish, des, ext des and md5]) ++ ++ PHP_ADD_SOURCES(PHP_EXT_DIR(standard), crypt_freesec.c crypt_blowfish.c crypt_sha512.c crypt_sha256.c php_crypt_r.c) ++ else ++ AC_MSG_ERROR([Cannot use external libcrypt as some algo are missing]) ++ fi + else + AC_DEFINE_UNQUOTED(PHP_USE_PHP_CRYPT_R, 0, [Whether PHP has to use its own crypt_r for blowfish, des and ext des]) + fi diff --git a/php-8.0.19-parser.patch b/php-8.0.19-parser.patch new file mode 100644 index 0000000000000000000000000000000000000000..8a28e4d420b50298f176f918e6dcde1c32eda308 --- /dev/null +++ b/php-8.0.19-parser.patch @@ -0,0 +1,16 @@ +diff -up ./build/gen_stub.php.syslib ./build/gen_stub.php +--- ./build/gen_stub.php.syslib 2020-06-25 08:11:51.782046813 +0200 ++++ ./build/gen_stub.php 2020-06-25 08:13:11.188860368 +0200 +@@ -1075,6 +1075,12 @@ function initPhpParser() { + } + + $isInitialized = true; ++ ++ if (file_exists('/usr/share/php/PhpParser4/autoload.php')) { ++ require_once '/usr/share/php/PhpParser4/autoload.php'; ++ return; ++ } ++ + $version = "4.13.0"; + $phpParserDir = __DIR__ . "/PHP-Parser-$version"; + if (!is_dir($phpParserDir)) { diff --git a/php-8.0.21-openssl3.patch b/php-8.0.21-openssl3.patch new file mode 100644 index 0000000000000000000000000000000000000000..b6b14b3725f72247e9a2f7ec0332501863f40c8a --- /dev/null +++ b/php-8.0.21-openssl3.patch @@ -0,0 +1,4761 @@ +From 016e857bed6cbd4a96f520d05499b7e30bbf877c Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Sun, 8 Aug 2021 17:38:30 +0200 +Subject: [PATCH 01/39] minimal fix for openssl 3.0 (#7002) + +(cherry picked from commit a0972deb0f441fc7991001cb51efc994b70a3b51) +--- + ext/openssl/openssl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index f791cfa856..b327b121d8 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -1313,7 +1313,9 @@ PHP_MINIT_FUNCTION(openssl) + REGISTER_LONG_CONSTANT("OPENSSL_CMS_NOSIGS", CMS_NOSIGS, CONST_CS|CONST_PERSISTENT); + + REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_PADDING", RSA_PKCS1_PADDING, CONST_CS|CONST_PERSISTENT); ++#ifdef RSA_SSLV23_PADDING + REGISTER_LONG_CONSTANT("OPENSSL_SSLV23_PADDING", RSA_SSLV23_PADDING, CONST_CS|CONST_PERSISTENT); ++#endif + REGISTER_LONG_CONSTANT("OPENSSL_NO_PADDING", RSA_NO_PADDING, CONST_CS|CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING, CONST_CS|CONST_PERSISTENT); + +-- +2.35.3 + +From 4f53ad619bb69c26e0ad0e59caf98642d8a6f038 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Wed, 4 Aug 2021 09:41:39 +0200 +Subject: [PATCH 02/39] Optimize openssl memory leak test + +Just do one call and check whether memory usage changes. Looping +this 100000 times is extremely slow with debug builds of openssl. + +(cherry picked from commit 6249172ae37f958f0a3ef92cb55d5bf7affa8214) +--- + ext/openssl/tests/bug79145.phpt | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/ext/openssl/tests/bug79145.phpt b/ext/openssl/tests/bug79145.phpt +index 4f3dc9e766..c9c7df2953 100644 +--- a/ext/openssl/tests/bug79145.phpt ++++ b/ext/openssl/tests/bug79145.phpt +@@ -3,7 +3,6 @@ Bug #79145 (openssl memory leak) + --SKIPIF-- + + --FILE-- + + --EXPECT-- + bool(true) +-- +2.35.3 + +From 8ae6f0974ea3f3c39e24b2e1825ba419f5b2ee94 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Wed, 4 Aug 2021 09:46:07 +0200 +Subject: [PATCH 03/39] Reduce security level in some OpenSSL tests + +This allows tests using older protocols and algorithms to work +under OpenSSL 3. + +Also account for minor changes in error reporting. + +(cherry picked from commit 3ea57cf83834e07aae6953201015e39b4a2ac6dd) +--- + ext/openssl/tests/session_meta_capture.phpt | 4 ++-- + ext/openssl/tests/stream_crypto_flags_001.phpt | 4 ++-- + ext/openssl/tests/stream_crypto_flags_002.phpt | 4 ++-- + ext/openssl/tests/stream_crypto_flags_003.phpt | 4 ++-- + ext/openssl/tests/stream_crypto_flags_004.phpt | 4 ++-- + ext/openssl/tests/stream_security_level.phpt | 4 ++-- + ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt | 4 ++-- + ext/openssl/tests/tls_wrapper.phpt | 4 ++-- + ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt | 4 ++-- + ext/openssl/tests/tlsv1.0_wrapper.phpt | 4 ++-- + ext/openssl/tests/tlsv1.1_wrapper.phpt | 4 ++-- + 11 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/ext/openssl/tests/session_meta_capture.phpt b/ext/openssl/tests/session_meta_capture.phpt +index 58b48e9c59..8a0f403a15 100644 +--- a/ext/openssl/tests/session_meta_capture.phpt ++++ b/ext/openssl/tests/session_meta_capture.phpt +@@ -15,7 +15,7 @@ $serverCode = <<<'CODE' + $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; + $serverCtx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); +@@ -36,7 +36,7 @@ $clientCode = <<<'CODE' + 'verify_peer' => true, + 'cafile' => '%s', + 'peer_name' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/stream_crypto_flags_001.phpt b/ext/openssl/tests/stream_crypto_flags_001.phpt +index acd97110ff..a86e0f8a6c 100644 +--- a/ext/openssl/tests/stream_crypto_flags_001.phpt ++++ b/ext/openssl/tests/stream_crypto_flags_001.phpt +@@ -15,7 +15,7 @@ $serverCode = <<<'CODE' + $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; + $serverCtx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); +@@ -35,7 +35,7 @@ $clientCode = <<<'CODE' + 'verify_peer' => true, + 'cafile' => '%s', + 'peer_name' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/stream_crypto_flags_002.phpt b/ext/openssl/tests/stream_crypto_flags_002.phpt +index 15b1ec2cfc..2870bdc814 100644 +--- a/ext/openssl/tests/stream_crypto_flags_002.phpt ++++ b/ext/openssl/tests/stream_crypto_flags_002.phpt +@@ -15,7 +15,7 @@ $serverCode = <<<'CODE' + $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; + $serverCtx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); +@@ -36,7 +36,7 @@ $clientCode = <<<'CODE' + 'verify_peer' => true, + 'cafile' => '%s', + 'peer_name' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/stream_crypto_flags_003.phpt b/ext/openssl/tests/stream_crypto_flags_003.phpt +index 35f83f22dd..da1f1ae228 100644 +--- a/ext/openssl/tests/stream_crypto_flags_003.phpt ++++ b/ext/openssl/tests/stream_crypto_flags_003.phpt +@@ -19,7 +19,7 @@ $serverCode = <<<'CODE' + + // Only accept TLSv1.0 and TLSv1.2 connections + 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_0_SERVER | STREAM_CRYPTO_METHOD_TLSv1_2_SERVER, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); +@@ -40,7 +40,7 @@ $clientCode = <<<'CODE' + 'verify_peer' => true, + 'cafile' => '%s', + 'peer_name' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/stream_crypto_flags_004.phpt b/ext/openssl/tests/stream_crypto_flags_004.phpt +index d9bfcfea3f..b7626b8ea7 100644 +--- a/ext/openssl/tests/stream_crypto_flags_004.phpt ++++ b/ext/openssl/tests/stream_crypto_flags_004.phpt +@@ -16,7 +16,7 @@ $serverCode = <<<'CODE' + $serverCtx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', + 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_0_SERVER, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); +@@ -37,7 +37,7 @@ $clientCode = <<<'CODE' + 'verify_peer' => true, + 'cafile' => '%s', + 'peer_name' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/stream_security_level.phpt b/ext/openssl/tests/stream_security_level.phpt +index 44ba4c6d57..b8a8796de3 100644 +--- a/ext/openssl/tests/stream_security_level.phpt ++++ b/ext/openssl/tests/stream_security_level.phpt +@@ -24,7 +24,7 @@ $serverCode = <<<'CODE' + 'local_cert' => '%s', + // Make sure the server side starts up successfully if the default security level is + // higher. We want to test the error at the client side. +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); +@@ -66,7 +66,7 @@ ServerClientTestCase::getInstance()->run($clientCode, $serverCode); + ?> + --EXPECTF-- + Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: +-error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in %s : eval()'d code on line %d ++error:%s:SSL routines:%S:certificate verify failed in %s : eval()'d code on line %d + + Warning: stream_socket_client(): Failed to enable crypto in %s : eval()'d code on line %d + +diff --git a/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt b/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt +index ac31192da4..73dd812291 100644 +--- a/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt ++++ b/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt +@@ -15,7 +15,7 @@ $serverCode = <<<'CODE' + 'local_cert' => '%s', + 'min_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_0, + 'max_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_1, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); +@@ -32,7 +32,7 @@ $clientCode = <<<'CODE' + $ctx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/tls_wrapper.phpt b/ext/openssl/tests/tls_wrapper.phpt +index d79e978c10..3488f6f7f0 100644 +--- a/ext/openssl/tests/tls_wrapper.phpt ++++ b/ext/openssl/tests/tls_wrapper.phpt +@@ -14,7 +14,7 @@ $serverCode = <<<'CODE' + $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; + $ctx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); +@@ -31,7 +31,7 @@ $clientCode = <<<'CODE' + $ctx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt b/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt +index b419179b3f..c8a0245601 100644 +--- a/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt ++++ b/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt +@@ -14,7 +14,7 @@ $serverCode = <<<'CODE' + $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; + $ctx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); +@@ -31,7 +31,7 @@ $clientCode = <<<'CODE' + $ctx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/tlsv1.0_wrapper.phpt b/ext/openssl/tests/tlsv1.0_wrapper.phpt +index adbe7b6308..fc802662ac 100644 +--- a/ext/openssl/tests/tlsv1.0_wrapper.phpt ++++ b/ext/openssl/tests/tlsv1.0_wrapper.phpt +@@ -13,7 +13,7 @@ $serverCode = <<<'CODE' + $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; + $ctx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server('tlsv1.0://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); +@@ -30,7 +30,7 @@ $clientCode = <<<'CODE' + $ctx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +diff --git a/ext/openssl/tests/tlsv1.1_wrapper.phpt b/ext/openssl/tests/tlsv1.1_wrapper.phpt +index c1aaa04919..84a137b5f4 100644 +--- a/ext/openssl/tests/tlsv1.1_wrapper.phpt ++++ b/ext/openssl/tests/tlsv1.1_wrapper.phpt +@@ -13,7 +13,7 @@ $serverCode = <<<'CODE' + $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN; + $ctx = stream_context_create(['ssl' => [ + 'local_cert' => '%s', +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + $server = stream_socket_server('tlsv1.1://127.0.0.1:64321', $errno, $errstr, $flags, $ctx); +@@ -30,7 +30,7 @@ $clientCode = <<<'CODE' + $ctx = stream_context_create(['ssl' => [ + 'verify_peer' => false, + 'verify_peer_name' => false, +- 'security_level' => 1, ++ 'security_level' => 0, + ]]); + + phpt_wait(); +-- +2.35.3 + +From e11ba509a72315046a015e8e106b4c1a0fdf4be9 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Wed, 4 Aug 2021 09:57:40 +0200 +Subject: [PATCH 04/39] Adjust some tests for whitespace differences in OpenSSL + 3 + +A trailing newline is no longer present in OpenSSL 3. + +(cherry picked from commit 0a530d7650c6f9cb7c1b55755c8bf5961052039c) +--- + ext/openssl/tests/bug28382.phpt | 17 +++++++---------- + ext/openssl/tests/cve2013_4073.phpt | 5 ++--- + ext/openssl/tests/openssl_x509_parse_basic.phpt | 10 ++++------ + 3 files changed, 13 insertions(+), 19 deletions(-) + +diff --git a/ext/openssl/tests/bug28382.phpt b/ext/openssl/tests/bug28382.phpt +index 3d8cb528ba..00765ba838 100644 +--- a/ext/openssl/tests/bug28382.phpt ++++ b/ext/openssl/tests/bug28382.phpt +@@ -9,11 +9,10 @@ if (!extension_loaded("openssl")) die("skip"); + $cert = file_get_contents(__DIR__ . "/bug28382cert.txt"); + $ext = openssl_x509_parse($cert); + var_dump($ext['extensions']); +-/* openssl 1.0 prepends the string "Full Name:" to the crlDistributionPoints array key. +- For now, as this is the one difference only between 0.9.x and 1.x, it's handled with +- placeholders to not to duplicate the test. When more diffs come, a duplication would +- be probably a better solution. +-*/ ++/* ++ * The reason for %A at the end of crlDistributionPoints and authorityKeyIdentifier is that ++ * OpenSSL 3.0 removes new lines which were present in previous versions. ++ */ + ?> + --EXPECTF-- + array(11) { +@@ -24,8 +23,7 @@ array(11) { + ["nsCertType"]=> + string(30) "SSL Client, SSL Server, S/MIME" + ["crlDistributionPoints"]=> +- string(%d) "%AURI:http://mobile.blue-software.ro:90/ca/crl.shtml +-" ++ string(%d) "%AURI:http://mobile.blue-software.ro:90/ca/crl.shtml%A" + ["nsCaPolicyUrl"]=> + string(38) "http://mobile.blue-software.ro:90/pub/" + ["subjectAltName"]=> +@@ -33,9 +31,8 @@ array(11) { + ["subjectKeyIdentifier"]=> + string(59) "B0:A7:FF:F9:41:15:DE:23:39:BD:DD:31:0F:97:A0:B2:A2:74:E0:FC" + ["authorityKeyIdentifier"]=> +- string(115) "DirName:/C=RO/ST=Romania/L=Craiova/O=Sergiu/OU=Sergiu SRL/CN=Sergiu CA/emailAddress=n_sergiu@hotmail.com +-serial:00 +-" ++ string(%d) "DirName:/C=RO/ST=Romania/L=Craiova/O=Sergiu/OU=Sergiu SRL/CN=Sergiu CA/emailAddress=n_sergiu@hotmail.com ++serial:00%A" + ["keyUsage"]=> + string(71) "Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment" + ["nsBaseUrl"]=> +diff --git a/ext/openssl/tests/cve2013_4073.phpt b/ext/openssl/tests/cve2013_4073.phpt +index c88021b0ae..5cd05ab040 100644 +--- a/ext/openssl/tests/cve2013_4073.phpt ++++ b/ext/openssl/tests/cve2013_4073.phpt +@@ -9,11 +9,10 @@ $info = openssl_x509_parse($cert); + var_export($info['extensions']); + + ?> +---EXPECT-- ++--EXPECTF-- + array ( + 'basicConstraints' => 'CA:FALSE', + 'subjectKeyIdentifier' => '88:5A:55:C0:52:FF:61:CD:52:A3:35:0F:EA:5A:9C:24:38:22:F7:5C', + 'keyUsage' => 'Digital Signature, Non Repudiation, Key Encipherment', +- 'subjectAltName' => 'DNS:altnull.python.org' . "\0" . 'example.com, email:null@python.org' . "\0" . 'user@example.org, URI:http://null.python.org' . "\0" . 'http://example.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1 +-', ++ 'subjectAltName' => 'DNS:altnull.python.org' . "\0" . 'example.com, email:null@python.org' . "\0" . 'user@example.org, URI:http://null.python.org' . "\0" . 'http://example.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1%A', + ) +diff --git a/ext/openssl/tests/openssl_x509_parse_basic.phpt b/ext/openssl/tests/openssl_x509_parse_basic.phpt +index b80c1f71f1..38915157f3 100644 +--- a/ext/openssl/tests/openssl_x509_parse_basic.phpt ++++ b/ext/openssl/tests/openssl_x509_parse_basic.phpt +@@ -153,10 +153,9 @@ array(16) { + ["subjectKeyIdentifier"]=> + string(59) "DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D" + ["authorityKeyIdentifier"]=> +- string(202) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D ++ string(%d) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D + DirName:/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N. Angelo/emailAddress=hnangelo@php.net +-serial:AE:C5:56:CC:72:37:50:A2 +-" ++serial:AE:C5:56:CC:72:37:50:A2%A" + ["basicConstraints"]=> + string(7) "CA:TRUE" + } +@@ -301,10 +300,9 @@ array(16) { + ["subjectKeyIdentifier"]=> + string(59) "DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D" + ["authorityKeyIdentifier"]=> +- string(202) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D ++ string(%d) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D + DirName:/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N. Angelo/emailAddress=hnangelo@php.net +-serial:AE:C5:56:CC:72:37:50:A2 +-" ++serial:AE:C5:56:CC:72:37:50:A2%A" + ["basicConstraints"]=> + string(7) "CA:TRUE" + } +-- +2.35.3 + +From 6d8810376b61aa4d37fbe773caa036ae7fec01a4 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Wed, 4 Aug 2021 11:55:47 +0200 +Subject: [PATCH 05/39] Use different cipher in openssl_seal() test + +RC4 is insecure and not supported in newer versions. + +(cherry picked from commit 046b36bcf8c062375c9f5e2a763d6144c2a484b4) +--- + ext/openssl/tests/openssl_seal_basic.phpt | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/openssl/tests/openssl_seal_basic.phpt b/ext/openssl/tests/openssl_seal_basic.phpt +index 16efb05a66..e23045c992 100644 +--- a/ext/openssl/tests/openssl_seal_basic.phpt ++++ b/ext/openssl/tests/openssl_seal_basic.phpt +@@ -9,7 +9,7 @@ $a = 1; + $b = array(1); + $c = array(1); + $d = array(1); +-$method = "RC4"; ++$method = "AES-128-ECB"; + + var_dump(openssl_seal($a, $b, $c, $d, $method)); + +@@ -41,8 +41,8 @@ var_dump(openssl_seal($data, $sealed, $ekeys, array($wrong), $method)); + Warning: openssl_seal(): Not a public key (1th member of pubkeys) in %s on line %d + bool(false) + openssl_seal(): Argument #4 ($public_key) cannot be empty +-int(19) +-int(19) ++int(32) ++int(32) + + Warning: openssl_seal(): Not a public key (2th member of pubkeys) in %s on line %d + bool(false) +-- +2.35.3 + +From 0d452b65cc8adf1867a26a470295a03324ea150b Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Wed, 4 Aug 2021 11:58:46 +0200 +Subject: [PATCH 06/39] Don't test legacy algorithms in SPKI tests + +MD4 and RMD160 may not be available on newer OpenSSL versions. + +(cherry picked from commit 9695936341c49ea0efec5bdf24acbcdf59e2a7f8) +--- + ext/openssl/tests/openssl_spki_export_basic.phpt | 4 ---- + .../tests/openssl_spki_export_challenge_basic.phpt | 14 -------------- + ext/openssl/tests/openssl_spki_new_basic.phpt | 8 -------- + ext/openssl/tests/openssl_spki_verify_basic.phpt | 7 ------- + 4 files changed, 33 deletions(-) + +diff --git a/ext/openssl/tests/openssl_spki_export_basic.phpt b/ext/openssl/tests/openssl_spki_export_basic.phpt +index 4085d2d5d8..c03954390b 100644 +--- a/ext/openssl/tests/openssl_spki_export_basic.phpt ++++ b/ext/openssl/tests/openssl_spki_export_basic.phpt +@@ -19,14 +19,12 @@ foreach ($key_sizes as $key_size) { + + /* array of available hashings to test */ + $algo = array( +- OPENSSL_ALGO_MD4, + OPENSSL_ALGO_MD5, + OPENSSL_ALGO_SHA1, + OPENSSL_ALGO_SHA224, + OPENSSL_ALGO_SHA256, + OPENSSL_ALGO_SHA384, + OPENSSL_ALGO_SHA512, +- OPENSSL_ALGO_RMD160 + ); + + /* loop over key sizes for test */ +@@ -56,5 +54,3 @@ function _uuid() { + \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- + \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- + \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- +-\-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- +-\-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\- +diff --git a/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt b/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt +index f44e60ec62..06308bf10c 100644 +--- a/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt ++++ b/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt +@@ -21,14 +21,12 @@ foreach ($key_sizes as $key_size) { + + /* array of available hashings to test */ + $algo = array( +- OPENSSL_ALGO_MD4, + OPENSSL_ALGO_MD5, + OPENSSL_ALGO_SHA1, + OPENSSL_ALGO_SHA224, + OPENSSL_ALGO_SHA256, + OPENSSL_ALGO_SHA384, + OPENSSL_ALGO_SHA512, +- OPENSSL_ALGO_RMD160 + ); + + /* loop over key sizes for test */ +@@ -89,15 +87,3 @@ string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" + bool\(false\) + string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" + bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\" +-bool\(false\) +diff --git a/ext/openssl/tests/openssl_spki_new_basic.phpt b/ext/openssl/tests/openssl_spki_new_basic.phpt +index cb54747fe0..8378bd1ac6 100644 +--- a/ext/openssl/tests/openssl_spki_new_basic.phpt ++++ b/ext/openssl/tests/openssl_spki_new_basic.phpt +@@ -18,14 +18,12 @@ foreach ($key_sizes as $key_size) { + + /* array of available hashings to test */ + $algo = array( +- OPENSSL_ALGO_MD4, + OPENSSL_ALGO_MD5, + OPENSSL_ALGO_SHA1, + OPENSSL_ALGO_SHA224, + OPENSSL_ALGO_SHA256, + OPENSSL_ALGO_SHA384, + OPENSSL_ALGO_SHA512, +- OPENSSL_ALGO_RMD160 + ); + + /* loop over key sizes for test */ +@@ -53,21 +51,15 @@ string(478) "%s" + string(478) "%s" + string(478) "%s" + string(478) "%s" +-string(478) "%s" +-string(474) "%s" +-string(830) "%s" + string(830) "%s" + string(830) "%s" + string(830) "%s" + string(830) "%s" + string(830) "%s" + string(830) "%s" +-string(826) "%s" +-string(1510) "%s" + string(1510) "%s" + string(1510) "%s" + string(1510) "%s" + string(1510) "%s" + string(1510) "%s" + string(1510) "%s" +-string(1506) "%s" +diff --git a/ext/openssl/tests/openssl_spki_verify_basic.phpt b/ext/openssl/tests/openssl_spki_verify_basic.phpt +index c760d0cb83..35badcda37 100644 +--- a/ext/openssl/tests/openssl_spki_verify_basic.phpt ++++ b/ext/openssl/tests/openssl_spki_verify_basic.phpt +@@ -25,7 +25,6 @@ $algo = array( + OPENSSL_ALGO_SHA256, + OPENSSL_ALGO_SHA384, + OPENSSL_ALGO_SHA512, +- OPENSSL_ALGO_RMD160 + ); + + /* loop over key sizes for test */ +@@ -80,9 +79,3 @@ bool(true) + bool(false) + bool(true) + bool(false) +-bool(true) +-bool(false) +-bool(true) +-bool(false) +-bool(true) +-bool(false) +-- +2.35.3 + +From 6489539ac9867eb365cd90bbb4ffc755f35bd9c3 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Wed, 4 Aug 2021 12:48:02 +0200 +Subject: [PATCH 07/39] Only report provided ciphers in + openssl_get_cipher_methods() + +With OpenSSL 3 ciphers may be registered, but not provided. Make +sure that openssl_get_cipher_methods() only returns provided +ciphers, so that "in_array openssl_get_cipher_methods" style +checks continue working as expected. + +(cherry picked from commit a80ae97d3176aded77ee422772608a026380fc1a) +--- + ext/openssl/openssl.c | 34 +++++++++++++++++++++++++++++++++- + ext/openssl/php_openssl.h | 4 +++- + 2 files changed, 36 insertions(+), 2 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index b327b121d8..f99961c589 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -6863,6 +6863,31 @@ PHP_FUNCTION(openssl_get_md_methods) + } + /* }}} */ + ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++static void php_openssl_add_cipher_name(const char *name, void *arg) ++{ ++ size_t len = strlen(name); ++ zend_string *str = zend_string_alloc(len, 0); ++ zend_str_tolower_copy(ZSTR_VAL(str), name, len); ++ add_next_index_str((zval*)arg, str); ++} ++ ++static void php_openssl_add_cipher_or_alias(EVP_CIPHER *cipher, void *arg) ++{ ++ EVP_CIPHER_names_do_all(cipher, php_openssl_add_cipher_name, arg); ++} ++ ++static void php_openssl_add_cipher(EVP_CIPHER *cipher, void *arg) ++{ ++ php_openssl_add_cipher_name(EVP_CIPHER_get0_name(cipher), arg); ++} ++ ++static int php_openssl_compare_func(Bucket *a, Bucket *b) ++{ ++ return string_compare_function(&a->val, &b->val); ++} ++#endif ++ + /* {{{ Return array of available cipher algorithms */ + PHP_FUNCTION(openssl_get_cipher_methods) + { +@@ -6872,9 +6897,16 @@ PHP_FUNCTION(openssl_get_cipher_methods) + RETURN_THROWS(); + } + array_init(return_value); ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ EVP_CIPHER_do_all_provided(NULL, ++ aliases ? php_openssl_add_cipher_or_alias : php_openssl_add_cipher, ++ return_value); ++ zend_hash_sort(Z_ARRVAL_P(return_value), php_openssl_compare_func, 1); ++#else + OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, +- aliases ? php_openssl_add_method_or_alias: php_openssl_add_method, ++ aliases ? php_openssl_add_method_or_alias : php_openssl_add_method, + return_value); ++#endif + } + /* }}} */ + +diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h +index c674ead34b..16bad9e6b0 100644 +--- a/ext/openssl/php_openssl.h ++++ b/ext/openssl/php_openssl.h +@@ -39,8 +39,10 @@ extern zend_module_entry openssl_module_entry; + #define PHP_OPENSSL_API_VERSION 0x10001 + #elif OPENSSL_VERSION_NUMBER < 0x10100000L + #define PHP_OPENSSL_API_VERSION 0x10002 +-#else ++#elif OPENSSL_VERSION_NUMBER < 0x30000000L + #define PHP_OPENSSL_API_VERSION 0x10100 ++#else ++#define PHP_OPENSSL_API_VERSION 0x30000 + #endif + #endif + +-- +2.35.3 + +From 407368e3fad0e4a46152bdf0061f590387365409 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Wed, 4 Aug 2021 12:05:02 +0200 +Subject: [PATCH 08/39] Avoid RC4 use in another test + +(cherry picked from commit 503146aa87e48f075f47a093ed7868e323814a66) +--- + ext/openssl/tests/openssl_open_basic.phpt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/openssl/tests/openssl_open_basic.phpt b/ext/openssl/tests/openssl_open_basic.phpt +index 5e551c507f..271a878cdf 100644 +--- a/ext/openssl/tests/openssl_open_basic.phpt ++++ b/ext/openssl/tests/openssl_open_basic.phpt +@@ -8,7 +8,7 @@ $data = "openssl_open() test"; + $pub_key = "file://" . __DIR__ . "/public.key"; + $priv_key = "file://" . __DIR__ . "/private_rsa_1024.key"; + $wrong = "wrong"; +-$method = "RC4"; ++$method = "AES-128-ECB"; + + openssl_seal($data, $sealed, $ekeys, array($pub_key, $pub_key, $pub_key), $method); + openssl_open($sealed, $output, $ekeys[0], $priv_key, $method); +-- +2.35.3 + +From 33f11d251877bd3fa4a533eec1a9d1df4a2ab13b Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Wed, 4 Aug 2021 15:47:14 +0200 +Subject: [PATCH 09/39] Use EVP_PKEY API for + openssl_public_encrypt/private_decrypt + +Use the high level API instead of the deprecated low level API. + +(cherry picked from commit 0233afae2762a7e7be49935ebbb981783c471d13) +--- + ext/openssl/openssl.c | 117 +++++++----------- + .../tests/openssl_error_string_basic.phpt | 2 +- + 2 files changed, 45 insertions(+), 74 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index f99961c589..d5ccfb09cb 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -6295,11 +6295,6 @@ PHP_FUNCTION(openssl_private_encrypt) + PHP_FUNCTION(openssl_private_decrypt) + { + zval *key, *crypted; +- EVP_PKEY *pkey; +- int cryptedlen; +- zend_string *cryptedbuf = NULL; +- unsigned char *crypttemp; +- int successful = 0; + zend_long padding = RSA_PKCS1_PADDING; + char * data; + size_t data_len; +@@ -6308,11 +6303,7 @@ PHP_FUNCTION(openssl_private_decrypt) + RETURN_THROWS(); + } + +- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1); +- +- RETVAL_FALSE; +- +- pkey = php_openssl_pkey_from_zval(key, 0, "", 0, 3); ++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 0, "", 0, 3); + if (pkey == NULL) { + if (!EG(exception)) { + php_error_docref(NULL, E_WARNING, "key parameter is not a valid private key"); +@@ -6320,42 +6311,33 @@ PHP_FUNCTION(openssl_private_decrypt) + RETURN_FALSE; + } + +- cryptedlen = EVP_PKEY_size(pkey); +- crypttemp = emalloc(cryptedlen + 1); +- +- switch (EVP_PKEY_id(pkey)) { +- case EVP_PKEY_RSA: +- case EVP_PKEY_RSA2: +- cryptedlen = RSA_private_decrypt((int)data_len, +- (unsigned char *)data, +- crypttemp, +- EVP_PKEY_get0_RSA(pkey), +- (int)padding); +- if (cryptedlen != -1) { +- cryptedbuf = zend_string_alloc(cryptedlen, 0); +- memcpy(ZSTR_VAL(cryptedbuf), crypttemp, cryptedlen); +- successful = 1; +- } +- break; +- default: +- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!"); ++ size_t out_len = 0; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL); ++ if (!ctx || EVP_PKEY_decrypt_init(ctx) <= 0 || ++ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 || ++ EVP_PKEY_decrypt(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) { ++ php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } + +- efree(crypttemp); +- +- if (successful) { +- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0'; +- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf); +- cryptedbuf = NULL; +- RETVAL_TRUE; +- } else { ++ zend_string *out = zend_string_alloc(out_len, 0); ++ if (EVP_PKEY_decrypt(ctx, (unsigned char *) ZSTR_VAL(out), &out_len, ++ (unsigned char *) data, data_len) <= 0) { ++ zend_string_release(out); + php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } + ++ out = zend_string_truncate(out, out_len, 0); ++ ZSTR_VAL(out)[out_len] = '\0'; ++ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out); ++ RETVAL_TRUE; ++ ++cleanup: ++ EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); +- if (cryptedbuf) { +- zend_string_release_ex(cryptedbuf, 0); +- } + } + /* }}} */ + +@@ -6363,10 +6345,6 @@ PHP_FUNCTION(openssl_private_decrypt) + PHP_FUNCTION(openssl_public_encrypt) + { + zval *key, *crypted; +- EVP_PKEY *pkey; +- int cryptedlen; +- zend_string *cryptedbuf; +- int successful = 0; + zend_long padding = RSA_PKCS1_PADDING; + char * data; + size_t data_len; +@@ -6375,11 +6353,7 @@ PHP_FUNCTION(openssl_public_encrypt) + RETURN_THROWS(); + } + +- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1); +- +- RETVAL_FALSE; +- +- pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0, 3); ++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0, 3); + if (pkey == NULL) { + if (!EG(exception)) { + php_error_docref(NULL, E_WARNING, "key parameter is not a valid public key"); +@@ -6387,35 +6361,32 @@ PHP_FUNCTION(openssl_public_encrypt) + RETURN_FALSE; + } + +- cryptedlen = EVP_PKEY_size(pkey); +- cryptedbuf = zend_string_alloc(cryptedlen, 0); +- +- switch (EVP_PKEY_id(pkey)) { +- case EVP_PKEY_RSA: +- case EVP_PKEY_RSA2: +- successful = (RSA_public_encrypt((int)data_len, +- (unsigned char *)data, +- (unsigned char *)ZSTR_VAL(cryptedbuf), +- EVP_PKEY_get0_RSA(pkey), +- (int)padding) == cryptedlen); +- break; +- default: +- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!"); +- ++ size_t out_len = 0; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL); ++ if (!ctx || EVP_PKEY_encrypt_init(ctx) <= 0 || ++ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 || ++ EVP_PKEY_encrypt(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) { ++ php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } + +- if (successful) { +- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0'; +- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf); +- cryptedbuf = NULL; +- RETVAL_TRUE; +- } else { ++ zend_string *out = zend_string_alloc(out_len, 0); ++ if (EVP_PKEY_encrypt(ctx, (unsigned char *) ZSTR_VAL(out), &out_len, ++ (unsigned char *) data, data_len) <= 0) { ++ zend_string_release(out); + php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } ++ ++ ZSTR_VAL(out)[out_len] = '\0'; ++ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out); ++ RETVAL_TRUE; ++ ++cleanup: ++ EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); +- if (cryptedbuf) { +- zend_string_release_ex(cryptedbuf, 0); +- } + } + /* }}} */ + +diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt +index b55b7ced44..eb76dfbf77 100644 +--- a/ext/openssl/tests/openssl_error_string_basic.phpt ++++ b/ext/openssl/tests/openssl_error_string_basic.phpt +@@ -119,7 +119,7 @@ expect_openssl_errors('openssl_private_decrypt', ['04065072']); + // public encrypt and decrypt with failed padding check and padding + @openssl_public_encrypt("data", $crypted, $public_key_file, 1000); + @openssl_public_decrypt("data", $crypted, $public_key_file); +-expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '04068076', '04067072']); ++expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '0408F090', '04067072']); + + // X509 + echo "X509 errors\n"; +-- +2.35.3 + +From 08fc5c58b197732e8e4bdc8cf2d9fd9eecec3fb9 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Wed, 4 Aug 2021 16:56:32 +0200 +Subject: [PATCH 10/39] Use EVP_PKEY APIs for + openssl_private_encrypt/public_decrypt + +Use high level APIs instead of deprecated low level APIs. + +(cherry picked from commit 384ad6e22412756d7a2fa7a4c35579f041784e59) +--- + ext/openssl/openssl.c | 119 +++++++----------- + .../tests/openssl_error_string_basic.phpt | 2 +- + 2 files changed, 45 insertions(+), 76 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index d5ccfb09cb..77b24b7a1b 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -6235,10 +6235,6 @@ clean_exit: + PHP_FUNCTION(openssl_private_encrypt) + { + zval *key, *crypted; +- EVP_PKEY *pkey; +- int cryptedlen; +- zend_string *cryptedbuf = NULL; +- int successful = 0; + char * data; + size_t data_len; + zend_long padding = RSA_PKCS1_PADDING; +@@ -6247,12 +6243,7 @@ PHP_FUNCTION(openssl_private_encrypt) + RETURN_THROWS(); + } + +- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1); +- +- RETVAL_FALSE; +- +- pkey = php_openssl_pkey_from_zval(key, 0, "", 0, 3); +- ++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 0, "", 0, 3); + if (pkey == NULL) { + if (!EG(exception)) { + php_error_docref(NULL, E_WARNING, "key param is not a valid private key"); +@@ -6260,33 +6251,31 @@ PHP_FUNCTION(openssl_private_encrypt) + RETURN_FALSE; + } + +- cryptedlen = EVP_PKEY_size(pkey); +- cryptedbuf = zend_string_alloc(cryptedlen, 0); +- +- switch (EVP_PKEY_id(pkey)) { +- case EVP_PKEY_RSA: +- case EVP_PKEY_RSA2: +- successful = (RSA_private_encrypt((int)data_len, +- (unsigned char *)data, +- (unsigned char *)ZSTR_VAL(cryptedbuf), +- EVP_PKEY_get0_RSA(pkey), +- (int)padding) == cryptedlen); +- break; +- default: +- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!"); ++ size_t out_len = 0; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL); ++ if (!ctx || EVP_PKEY_sign_init(ctx) <= 0 || ++ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 || ++ EVP_PKEY_sign(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) { ++ php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } + +- if (successful) { +- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0'; +- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf); +- cryptedbuf = NULL; +- RETVAL_TRUE; +- } else { ++ zend_string *out = zend_string_alloc(out_len, 0); ++ if (EVP_PKEY_sign(ctx, (unsigned char *) ZSTR_VAL(out), &out_len, ++ (unsigned char *) data, data_len) <= 0) { ++ zend_string_release(out); + php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } +- if (cryptedbuf) { +- zend_string_release_ex(cryptedbuf, 0); +- } ++ ++ ZSTR_VAL(out)[out_len] = '\0'; ++ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out); ++ RETVAL_TRUE; ++ ++cleanup: ++ EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + } + /* }}} */ +@@ -6394,11 +6383,6 @@ cleanup: + PHP_FUNCTION(openssl_public_decrypt) + { + zval *key, *crypted; +- EVP_PKEY *pkey; +- int cryptedlen; +- zend_string *cryptedbuf = NULL; +- unsigned char *crypttemp; +- int successful = 0; + zend_long padding = RSA_PKCS1_PADDING; + char * data; + size_t data_len; +@@ -6407,11 +6391,7 @@ PHP_FUNCTION(openssl_public_decrypt) + RETURN_THROWS(); + } + +- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1); +- +- RETVAL_FALSE; +- +- pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0, 3); ++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0, 3); + if (pkey == NULL) { + if (!EG(exception)) { + php_error_docref(NULL, E_WARNING, "key parameter is not a valid public key"); +@@ -6419,43 +6399,32 @@ PHP_FUNCTION(openssl_public_decrypt) + RETURN_FALSE; + } + +- cryptedlen = EVP_PKEY_size(pkey); +- crypttemp = emalloc(cryptedlen + 1); +- +- switch (EVP_PKEY_id(pkey)) { +- case EVP_PKEY_RSA: +- case EVP_PKEY_RSA2: +- cryptedlen = RSA_public_decrypt((int)data_len, +- (unsigned char *)data, +- crypttemp, +- EVP_PKEY_get0_RSA(pkey), +- (int)padding); +- if (cryptedlen != -1) { +- cryptedbuf = zend_string_alloc(cryptedlen, 0); +- memcpy(ZSTR_VAL(cryptedbuf), crypttemp, cryptedlen); +- successful = 1; +- } +- break; +- +- default: +- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!"); +- ++ size_t out_len = 0; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL); ++ if (!ctx || EVP_PKEY_verify_recover_init(ctx) <= 0 || ++ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 || ++ EVP_PKEY_verify_recover(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) { ++ php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } + +- efree(crypttemp); +- +- if (successful) { +- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0'; +- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf); +- cryptedbuf = NULL; +- RETVAL_TRUE; +- } else { ++ zend_string *out = zend_string_alloc(out_len, 0); ++ if (EVP_PKEY_verify_recover(ctx, (unsigned char *) ZSTR_VAL(out), &out_len, ++ (unsigned char *) data, data_len) <= 0) { ++ zend_string_release(out); + php_openssl_store_errors(); ++ RETVAL_FALSE; ++ goto cleanup; + } + +- if (cryptedbuf) { +- zend_string_release_ex(cryptedbuf, 0); +- } ++ out = zend_string_truncate(out, out_len, 0); ++ ZSTR_VAL(out)[out_len] = '\0'; ++ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out); ++ RETVAL_TRUE; ++ ++cleanup: ++ EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + } + /* }}} */ +diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt +index eb76dfbf77..f3eb82067b 100644 +--- a/ext/openssl/tests/openssl_error_string_basic.phpt ++++ b/ext/openssl/tests/openssl_error_string_basic.phpt +@@ -112,7 +112,7 @@ expect_openssl_errors('openssl_pkey_export', ['06065064', '0906A065']); + expect_openssl_errors('openssl_pkey_get_public', [$err_pem_no_start_line]); + // private encrypt with unknown padding + @openssl_private_encrypt("data", $crypted, $private_key_file, 1000); +-expect_openssl_errors('openssl_private_encrypt', ['04066076']); ++expect_openssl_errors('openssl_private_encrypt', ['0408F090']); + // private decrypt with failed padding check + @openssl_private_decrypt("data", $crypted, $private_key_file); + expect_openssl_errors('openssl_private_decrypt', ['04065072']); +-- +2.35.3 + +From 162e1ff4452f6c48c9efd51393c06d24ae02f1d2 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Thu, 5 Aug 2021 10:29:50 +0200 +Subject: [PATCH 11/39] Use EVP_PKEY APIs for key generation + +Use high level API instead of deprecated low level API. + +(cherry picked from commit 13313d9b1b9fa014fe6f92c496477e28f4f11772) +--- + ext/openssl/openssl.c | 210 +++++++++++++++----------------- + ext/openssl/tests/bug80747.phpt | 4 +- + 2 files changed, 101 insertions(+), 113 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 77b24b7a1b..f158815c6b 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3758,140 +3758,130 @@ static EVP_PKEY *php_openssl_pkey_from_zval( + return key; + } + ++static int php_openssl_get_evp_pkey_type(int key_type) { ++ switch (key_type) { ++ case OPENSSL_KEYTYPE_RSA: ++ return EVP_PKEY_RSA; ++#if !defined(NO_DSA) ++ case OPENSSL_KEYTYPE_DSA: ++ return EVP_PKEY_DSA; ++#endif ++#if !defined(NO_DH) ++ case OPENSSL_KEYTYPE_DH: ++ return EVP_PKEY_DH; ++#endif ++#ifdef HAVE_EVP_PKEY_EC ++ case OPENSSL_KEYTYPE_EC: ++ return EVP_PKEY_EC; ++#endif ++ default: ++ return -1; ++ } ++} ++ + /* {{{ php_openssl_generate_private_key */ + static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req) + { +- char * randfile = NULL; +- int egdsocket, seeded; +- EVP_PKEY * return_val = NULL; +- + if (req->priv_key_bits < MIN_KEY_LENGTH) { + php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d", + MIN_KEY_LENGTH, req->priv_key_bits); + return NULL; + } + +- randfile = php_openssl_conf_get_string(req->req_config, req->section_name, "RANDFILE"); ++ int type = php_openssl_get_evp_pkey_type(req->priv_key_type); ++ if (type < 0) { ++ php_error_docref(NULL, E_WARNING, "Unsupported private key type"); ++ return NULL; ++ } ++ ++ int egdsocket, seeded; ++ char *randfile = php_openssl_conf_get_string(req->req_config, req->section_name, "RANDFILE"); + php_openssl_load_rand_file(randfile, &egdsocket, &seeded); ++ PHP_OPENSSL_RAND_ADD_TIME(); + +- if ((req->priv_key = EVP_PKEY_new()) != NULL) { +- switch(req->priv_key_type) { +- case OPENSSL_KEYTYPE_RSA: +- { +- RSA* rsaparam; +-#if OPENSSL_VERSION_NUMBER < 0x10002000L +- /* OpenSSL 1.0.2 deprecates RSA_generate_key */ +- PHP_OPENSSL_RAND_ADD_TIME(); +- rsaparam = (RSA*)RSA_generate_key(req->priv_key_bits, RSA_F4, NULL, NULL); +-#else +- { +- BIGNUM *bne = (BIGNUM *)BN_new(); +- if (BN_set_word(bne, RSA_F4) != 1) { +- BN_free(bne); +- php_error_docref(NULL, E_WARNING, "Failed setting exponent"); +- return NULL; +- } +- rsaparam = RSA_new(); +- PHP_OPENSSL_RAND_ADD_TIME(); +- if (rsaparam == NULL || !RSA_generate_key_ex(rsaparam, req->priv_key_bits, bne, NULL)) { +- php_openssl_store_errors(); +- RSA_free(rsaparam); +- rsaparam = NULL; +- } +- BN_free(bne); +- } +-#endif +- if (rsaparam && EVP_PKEY_assign_RSA(req->priv_key, rsaparam)) { +- return_val = req->priv_key; +- } else { +- php_openssl_store_errors(); +- } +- } +- break; ++ EVP_PKEY *key = NULL; ++ EVP_PKEY *params = NULL; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(type, NULL); ++ if (!ctx) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ ++ if (type != EVP_PKEY_RSA) { ++ if (EVP_PKEY_paramgen_init(ctx) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ ++ switch (type) { + #if !defined(NO_DSA) +- case OPENSSL_KEYTYPE_DSA: +- PHP_OPENSSL_RAND_ADD_TIME(); +- { +- DSA *dsaparam = DSA_new(); +- if (dsaparam && DSA_generate_parameters_ex(dsaparam, req->priv_key_bits, NULL, 0, NULL, NULL, NULL)) { +- DSA_set_method(dsaparam, DSA_get_default_method()); +- if (DSA_generate_key(dsaparam)) { +- if (EVP_PKEY_assign_DSA(req->priv_key, dsaparam)) { +- return_val = req->priv_key; +- } else { +- php_openssl_store_errors(); +- } +- } else { +- php_openssl_store_errors(); +- DSA_free(dsaparam); +- } +- } else { +- php_openssl_store_errors(); +- } +- } +- break; ++ case EVP_PKEY_DSA: ++ if (EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, req->priv_key_bits) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ break; + #endif + #if !defined(NO_DH) +- case OPENSSL_KEYTYPE_DH: +- PHP_OPENSSL_RAND_ADD_TIME(); +- { +- int codes = 0; +- DH *dhparam = DH_new(); +- if (dhparam && DH_generate_parameters_ex(dhparam, req->priv_key_bits, 2, NULL)) { +- DH_set_method(dhparam, DH_get_default_method()); +- if (DH_check(dhparam, &codes) && codes == 0 && DH_generate_key(dhparam)) { +- if (EVP_PKEY_assign_DH(req->priv_key, dhparam)) { +- return_val = req->priv_key; +- } else { +- php_openssl_store_errors(); +- } +- } else { +- php_openssl_store_errors(); +- DH_free(dhparam); +- } +- } else { +- php_openssl_store_errors(); +- } +- } +- break; ++ case EVP_PKEY_DH: ++ if (EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, req->priv_key_bits) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ break; + #endif + #ifdef HAVE_EVP_PKEY_EC +- case OPENSSL_KEYTYPE_EC: +- { +- EC_KEY *eckey; +- if (req->curve_name == NID_undef) { +- php_error_docref(NULL, E_WARNING, "Missing configuration value: \"curve_name\" not set"); +- return NULL; +- } +- eckey = EC_KEY_new_by_curve_name(req->curve_name); +- if (eckey) { +- EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); +- if (EC_KEY_generate_key(eckey) && +- EVP_PKEY_assign_EC_KEY(req->priv_key, eckey)) { +- return_val = req->priv_key; +- } else { +- EC_KEY_free(eckey); +- } +- } +- } +- break; ++ case EVP_PKEY_EC: ++ if (req->curve_name == NID_undef) { ++ php_error_docref(NULL, E_WARNING, "Missing configuration value: \"curve_name\" not set"); ++ goto cleanup; ++ } ++ ++ if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, req->curve_name) <= 0 || ++ EVP_PKEY_CTX_set_ec_param_enc(ctx, OPENSSL_EC_NAMED_CURVE) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ break; + #endif +- default: +- php_error_docref(NULL, E_WARNING, "Unsupported private key type"); ++ EMPTY_SWITCH_DEFAULT_CASE() + } +- } else { ++ ++ if (EVP_PKEY_paramgen(ctx, ¶ms) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ ++ EVP_PKEY_CTX_free(ctx); ++ ctx = EVP_PKEY_CTX_new(params, NULL); ++ if (!ctx) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } ++ } ++ ++ if (EVP_PKEY_keygen_init(ctx) <= 0) { + php_openssl_store_errors(); ++ goto cleanup; + } + +- php_openssl_write_rand_file(randfile, egdsocket, seeded); ++ if (type == EVP_PKEY_RSA && EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, req->priv_key_bits) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; ++ } + +- if (return_val == NULL) { +- EVP_PKEY_free(req->priv_key); +- req->priv_key = NULL; +- return NULL; ++ if (EVP_PKEY_keygen(ctx, &key) <= 0) { ++ php_openssl_store_errors(); ++ goto cleanup; + } + +- return return_val; ++ req->priv_key = key; ++ ++cleanup: ++ php_openssl_write_rand_file(randfile, egdsocket, seeded); ++ EVP_PKEY_free(params); ++ EVP_PKEY_CTX_free(ctx); ++ return key; + } + /* }}} */ + +diff --git a/ext/openssl/tests/bug80747.phpt b/ext/openssl/tests/bug80747.phpt +index 327c916688..12ae0ff0e1 100644 +--- a/ext/openssl/tests/bug80747.phpt ++++ b/ext/openssl/tests/bug80747.phpt +@@ -14,9 +14,7 @@ $conf = array( + 'private_key_bits' => 511, + ); + var_dump(openssl_pkey_new($conf)); +-while ($e = openssl_error_string()) { +- echo $e, "\n"; +-} ++echo openssl_error_string(), "\n"; + + ?> + --EXPECTF-- +-- +2.35.3 + +From f3ac6b3dff7a9062186e595deebe268174d5abb8 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Thu, 5 Aug 2021 11:50:11 +0200 +Subject: [PATCH 12/39] Relax error check + +The precise error is version-dependent, just check that there +is some kind of error reported. + +(cherry picked from commit cd8bf0b6bd23e03bdc8d069df53a2d976809a916) +--- + ext/openssl/tests/bug80747.phpt | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/openssl/tests/bug80747.phpt b/ext/openssl/tests/bug80747.phpt +index 12ae0ff0e1..3f319b4b24 100644 +--- a/ext/openssl/tests/bug80747.phpt ++++ b/ext/openssl/tests/bug80747.phpt +@@ -14,9 +14,9 @@ $conf = array( + 'private_key_bits' => 511, + ); + var_dump(openssl_pkey_new($conf)); +-echo openssl_error_string(), "\n"; ++var_dump(openssl_error_string() !== false); + + ?> +---EXPECTF-- ++--EXPECT-- + bool(false) +-error:%s:key size too small ++bool(true) +-- +2.35.3 + +From de7bd3a3d035d0b018058ee623412d08c5e50b6e Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Thu, 5 Aug 2021 12:59:13 +0200 +Subject: [PATCH 13/39] Store whether pkey object contains private key + +Rather than querying whether the EVP_PKEY contains private key +information, determine this at time of construction and store it +in the PHP object. + +OpenSSL doesn't provide an API for this purpose, and seems +somewhat reluctant to add one, see +https://github.com/openssl/openssl/issues/9467. + +To avoid using deprecated low-level APIs to determine whether +something is a private key ourselves, remember it at the point +of construction. + +(cherry picked from commit f878bbd96b34ac11fed66c895891570ef10b0dcb) +--- + ext/openssl/openssl.c | 155 +++++++++--------------------------------- + 1 file changed, 31 insertions(+), 124 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index f158815c6b..afd6072d12 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -201,6 +201,7 @@ static void php_openssl_request_free_obj(zend_object *object) + + typedef struct _php_openssl_pkey_object { + EVP_PKEY *pkey; ++ bool is_private; + zend_object std; + } php_openssl_pkey_object; + +@@ -224,6 +225,13 @@ static zend_object *php_openssl_pkey_create_object(zend_class_entry *class_type) + return &intern->std; + } + ++static void php_openssl_pkey_object_init(zval *zv, EVP_PKEY *pkey, bool is_private) { ++ object_init_ex(zv, php_openssl_pkey_ce); ++ php_openssl_pkey_object *obj = Z_OPENSSL_PKEY_P(zv); ++ obj->pkey = pkey; ++ obj->is_private = is_private; ++} ++ + static zend_function *php_openssl_pkey_get_constructor(zend_object *object) { + zend_throw_error(NULL, "Cannot directly construct OpenSSLAsymmetricKey, use openssl_pkey_new() instead"); + return NULL; +@@ -608,7 +616,6 @@ static X509_REQ *php_openssl_csr_from_param( + static EVP_PKEY *php_openssl_pkey_from_zval( + zval *val, int public_key, char *passphrase, size_t passphrase_len, uint32_t arg_num); + +-static int php_openssl_is_private_key(EVP_PKEY* pkey); + static X509_STORE * php_openssl_setup_verify(zval * calist, uint32_t arg_num); + static STACK_OF(X509) * php_openssl_load_all_certs_from_file( + char *cert_file, size_t cert_file_len, uint32_t arg_num); +@@ -3463,11 +3470,8 @@ PHP_FUNCTION(openssl_csr_new) + if (we_made_the_key) { + /* and an object for the private key */ + zval zkey_object; +- php_openssl_pkey_object *key_object; +- object_init_ex(&zkey_object, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(&zkey_object); +- key_object->pkey = req.priv_key; +- ++ php_openssl_pkey_object_init( ++ &zkey_object, req.priv_key, /* is_private */ true); + ZEND_TRY_ASSIGN_REF_TMP(out_pkey, &zkey_object); + req.priv_key = NULL; /* make sure the cleanup code doesn't zap it! */ + } +@@ -3525,7 +3529,6 @@ PHP_FUNCTION(openssl_csr_get_public_key) + zend_string *csr_str; + zend_bool use_shortnames = 1; + +- php_openssl_pkey_object *key_object; + EVP_PKEY *tpubkey; + + ZEND_PARSE_PARAMETERS_START(1, 2) +@@ -3568,9 +3571,7 @@ PHP_FUNCTION(openssl_csr_get_public_key) + RETURN_FALSE; + } + +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = tpubkey; ++ php_openssl_pkey_object_init(return_value, tpubkey, /* is_private */ false); + } + /* }}} */ + +@@ -3647,10 +3648,9 @@ static EVP_PKEY *php_openssl_pkey_from_zval( + } + + if (Z_TYPE_P(val) == IS_OBJECT && Z_OBJCE_P(val) == php_openssl_pkey_ce) { +- int is_priv; +- +- key = php_openssl_pkey_from_obj(Z_OBJ_P(val))->pkey; +- is_priv = php_openssl_is_private_key(key); ++ php_openssl_pkey_object *obj = php_openssl_pkey_from_obj(Z_OBJ_P(val)); ++ key = obj->pkey; ++ bool is_priv = obj->is_private; + + /* check whether it is actually a private key if requested */ + if (!public_key && !is_priv) { +@@ -3885,85 +3885,6 @@ cleanup: + } + /* }}} */ + +-/* {{{ php_openssl_is_private_key +- Check whether the supplied key is a private key by checking if the secret prime factors are set */ +-static int php_openssl_is_private_key(EVP_PKEY* pkey) +-{ +- assert(pkey != NULL); +- +- switch (EVP_PKEY_id(pkey)) { +- case EVP_PKEY_RSA: +- case EVP_PKEY_RSA2: +- { +- RSA *rsa = EVP_PKEY_get0_RSA(pkey); +- if (rsa != NULL) { +- const BIGNUM *p, *q; +- +- RSA_get0_factors(rsa, &p, &q); +- if (p == NULL || q == NULL) { +- return 0; +- } +- } +- } +- break; +- case EVP_PKEY_DSA: +- case EVP_PKEY_DSA1: +- case EVP_PKEY_DSA2: +- case EVP_PKEY_DSA3: +- case EVP_PKEY_DSA4: +- { +- DSA *dsa = EVP_PKEY_get0_DSA(pkey); +- if (dsa != NULL) { +- const BIGNUM *p, *q, *g, *pub_key, *priv_key; +- +- DSA_get0_pqg(dsa, &p, &q, &g); +- if (p == NULL || q == NULL) { +- return 0; +- } +- +- DSA_get0_key(dsa, &pub_key, &priv_key); +- if (priv_key == NULL) { +- return 0; +- } +- } +- } +- break; +- case EVP_PKEY_DH: +- { +- DH *dh = EVP_PKEY_get0_DH(pkey); +- if (dh != NULL) { +- const BIGNUM *p, *q, *g, *pub_key, *priv_key; +- +- DH_get0_pqg(dh, &p, &q, &g); +- if (p == NULL) { +- return 0; +- } +- +- DH_get0_key(dh, &pub_key, &priv_key); +- if (priv_key == NULL) { +- return 0; +- } +- } +- } +- break; +-#ifdef HAVE_EVP_PKEY_EC +- case EVP_PKEY_EC: +- { +- EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); +- if (ec != NULL && NULL == EC_KEY_get0_private_key(ec)) { +- return 0; +- } +- } +- break; +-#endif +- default: +- php_error_docref(NULL, E_WARNING, "Key type not supported in this PHP build!"); +- break; +- } +- return 1; +-} +-/* }}} */ +- + #define OPENSSL_GET_BN(_array, _bn, _name) do { \ + if (_bn != NULL) { \ + int len = BN_num_bytes(_bn); \ +@@ -4022,7 +3943,7 @@ static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, + } + + /* {{{ php_openssl_pkey_init_dsa */ +-static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data) ++static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data, bool *is_private) + { + BIGNUM *p, *q, *g, *priv_key, *pub_key; + const BIGNUM *priv_key_const, *pub_key_const; +@@ -4036,6 +3957,7 @@ static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data) + + OPENSSL_PKEY_SET_BN(data, pub_key); + OPENSSL_PKEY_SET_BN(data, priv_key); ++ *is_private = priv_key != NULL; + if (pub_key) { + return DSA_set0_key(dsa, pub_key, priv_key); + } +@@ -4100,7 +4022,7 @@ static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM + /* }}} */ + + /* {{{ php_openssl_pkey_init_dh */ +-static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data) ++static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data, bool *is_private) + { + BIGNUM *p, *q, *g, *priv_key, *pub_key; + +@@ -4113,6 +4035,7 @@ static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data) + + OPENSSL_PKEY_SET_BN(data, priv_key); + OPENSSL_PKEY_SET_BN(data, pub_key); ++ *is_private = priv_key != NULL; + if (pub_key) { + return DH_set0_key(dh, pub_key, priv_key); + } +@@ -4141,7 +4064,6 @@ PHP_FUNCTION(openssl_pkey_new) + struct php_x509_request req; + zval * args = NULL; + zval *data; +- php_openssl_pkey_object *key_object; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "|a!", &args) == FAILURE) { + RETURN_THROWS(); +@@ -4158,9 +4080,7 @@ PHP_FUNCTION(openssl_pkey_new) + RSA *rsa = RSA_new(); + if (rsa) { + if (php_openssl_pkey_init_and_assign_rsa(pkey, rsa, data)) { +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = pkey; ++ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true); + return; + } + RSA_free(rsa); +@@ -4178,11 +4098,10 @@ PHP_FUNCTION(openssl_pkey_new) + if (pkey) { + DSA *dsa = DSA_new(); + if (dsa) { +- if (php_openssl_pkey_init_dsa(dsa, data)) { ++ bool is_private; ++ if (php_openssl_pkey_init_dsa(dsa, data, &is_private)) { + if (EVP_PKEY_assign_DSA(pkey, dsa)) { +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = pkey; ++ php_openssl_pkey_object_init(return_value, pkey, is_private); + return; + } else { + php_openssl_store_errors(); +@@ -4203,13 +4122,10 @@ PHP_FUNCTION(openssl_pkey_new) + if (pkey) { + DH *dh = DH_new(); + if (dh) { +- if (php_openssl_pkey_init_dh(dh, data)) { ++ bool is_private; ++ if (php_openssl_pkey_init_dh(dh, data, &is_private)) { + if (EVP_PKEY_assign_DH(pkey, dh)) { +- php_openssl_pkey_object *key_object; +- +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = pkey; ++ php_openssl_pkey_object_init(return_value, pkey, is_private); + return; + } else { + php_openssl_store_errors(); +@@ -4235,6 +4151,7 @@ PHP_FUNCTION(openssl_pkey_new) + if (pkey) { + eckey = EC_KEY_new(); + if (eckey) { ++ bool is_private = false; + EC_GROUP *group = NULL; + zval *bn; + zval *x; +@@ -4266,6 +4183,7 @@ PHP_FUNCTION(openssl_pkey_new) + // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y' + if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL && + Z_TYPE_P(bn) == IS_STRING) { ++ is_private = true; + d = BN_bin2bn((unsigned char*) Z_STRVAL_P(bn), Z_STRLEN_P(bn), NULL); + if (!EC_KEY_set_private_key(eckey, d)) { + php_openssl_store_errors(); +@@ -4313,10 +4231,7 @@ PHP_FUNCTION(openssl_pkey_new) + } + if (EC_KEY_check_key(eckey) && EVP_PKEY_assign_EC_KEY(pkey, eckey)) { + EC_GROUP_free(group); +- +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = pkey; ++ php_openssl_pkey_object_init(return_value, pkey, is_private); + return; + } else { + php_openssl_store_errors(); +@@ -4351,9 +4266,7 @@ clean_exit: + if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) { + if (php_openssl_generate_private_key(&req)) { + /* pass back a key resource */ +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = req.priv_key; ++ php_openssl_pkey_object_init(return_value, req.priv_key, /* is_private */ true); + /* make sure the cleanup code doesn't zap it! */ + req.priv_key = NULL; + } +@@ -4526,7 +4439,6 @@ PHP_FUNCTION(openssl_pkey_get_public) + { + zval *cert; + EVP_PKEY *pkey; +- php_openssl_pkey_object *key_object; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &cert) == FAILURE) { + RETURN_THROWS(); +@@ -4536,9 +4448,7 @@ PHP_FUNCTION(openssl_pkey_get_public) + RETURN_FALSE; + } + +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = pkey; ++ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ false); + } + /* }}} */ + +@@ -4560,7 +4470,6 @@ PHP_FUNCTION(openssl_pkey_get_private) + EVP_PKEY *pkey; + char * passphrase = ""; + size_t passphrase_len = sizeof("")-1; +- php_openssl_pkey_object *key_object; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|s!", &cert, &passphrase, &passphrase_len) == FAILURE) { + RETURN_THROWS(); +@@ -4575,9 +4484,7 @@ PHP_FUNCTION(openssl_pkey_get_private) + RETURN_FALSE; + } + +- object_init_ex(return_value, php_openssl_pkey_ce); +- key_object = Z_OPENSSL_PKEY_P(return_value); +- key_object->pkey = pkey; ++ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true); + } + + /* }}} */ +-- +2.35.3 + +From 10413110152d816c16aee3ef854cce4784966239 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Thu, 5 Aug 2021 14:59:16 +0200 +Subject: [PATCH 14/39] Add test for openssl_dh_compute_key() + +This function was not tested at all :( + +(cherry picked from commit 7168f71e00676172e7fcf710adfc07eccd6714e6) +--- + ext/openssl/tests/openssl_dh_compute_key.phpt | 29 +++++++++++++++++++ + 1 file changed, 29 insertions(+) + create mode 100644 ext/openssl/tests/openssl_dh_compute_key.phpt + +diff --git a/ext/openssl/tests/openssl_dh_compute_key.phpt b/ext/openssl/tests/openssl_dh_compute_key.phpt +new file mode 100644 +index 0000000000..8730f4b57d +--- /dev/null ++++ b/ext/openssl/tests/openssl_dh_compute_key.phpt +@@ -0,0 +1,29 @@ ++--TEST-- ++openssl_dh_compute_key() ++--FILE-- ++ ++--EXPECT-- ++b0049944fa5d36f364dd02e675dde50f8c2d67481c5cf0fe2f248d383eec1d38c23d5ed2644fbef2676bcd6ce148361ca82619c8f93e10506cb89d0a1bdaa0f0bc6f68cef0f7cb6d97d43e8dda3c7a5c5a98ebd2342a605ce530fd46a0602d28d4afc48e92088d0bc42194ca8682a85317f812d81b86cd284eed405df2f76aae84ccd560856e8a3d0ce4f591394bca02eb8a1984ebb41bb19714fb8b579bcafd36a9051d51d075f66229893289d8a0c918bfd222f17803cc532d2cf93bb2a567953323ca409beb3237faae9c6fdfc671594324953badd07dd4770ee09fd19f90045654c5709e92aa614b83594c2f62a8bc3c7e786e54bc1259a0a737c70dd4cc +-- +2.35.3 + +From 81985366729b7e81d924007cae618f1f75f9a7e1 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Thu, 5 Aug 2021 14:52:56 +0200 +Subject: [PATCH 15/39] Extract php_openssl_pkey_derive() function + +To allow sharing it with the openssl_dh_compute_key() implementation. + +(cherry picked from commit c6542b2a1e431e7fa980bd97c696c8c48fb58dc3) +--- + ext/openssl/openssl.c | 77 +++++++++++++++++++++++-------------------- + 1 file changed, 41 insertions(+), 36 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index afd6072d12..ceece680b8 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4662,6 +4662,34 @@ PHP_FUNCTION(openssl_pkey_get_details) + } + /* }}} */ + ++static zend_string *php_openssl_pkey_derive(EVP_PKEY *key, EVP_PKEY *peer_key, size_t key_size) { ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(key, NULL); ++ if (!ctx) { ++ return NULL; ++ } ++ ++ if (EVP_PKEY_derive_init(ctx) <= 0 || ++ EVP_PKEY_derive_set_peer(ctx, peer_key) <= 0 || ++ (key_size == 0 && EVP_PKEY_derive(ctx, NULL, &key_size) <= 0)) { ++ php_openssl_store_errors(); ++ EVP_PKEY_CTX_free(ctx); ++ return NULL; ++ } ++ ++ zend_string *result = zend_string_alloc(key_size, 0); ++ if (EVP_PKEY_derive(ctx, (unsigned char *)ZSTR_VAL(result), &key_size) <= 0) { ++ php_openssl_store_errors(); ++ zend_string_release_ex(result, 0); ++ EVP_PKEY_CTX_free(ctx); ++ return NULL; ++ } ++ ++ ZSTR_LEN(result) = key_size; ++ ZSTR_VAL(result)[key_size] = 0; ++ EVP_PKEY_CTX_free(ctx); ++ return result; ++} ++ + /* {{{ Computes shared secret for public value of remote DH key and local DH key */ + PHP_FUNCTION(openssl_dh_compute_key) + { +@@ -4669,7 +4697,6 @@ PHP_FUNCTION(openssl_dh_compute_key) + char *pub_str; + size_t pub_len; + DH *dh; +- EVP_PKEY *pkey; + BIGNUM *pub; + zend_string *data; + int len; +@@ -4680,11 +4707,12 @@ PHP_FUNCTION(openssl_dh_compute_key) + + PHP_OPENSSL_CHECK_SIZE_T_TO_INT(pub_len, pub_key, 1); + +- pkey = Z_OPENSSL_PKEY_P(key)->pkey; ++ EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey; + + if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) { + RETURN_FALSE; + } ++ + dh = EVP_PKEY_get0_DH(pkey); + if (dh == NULL) { + RETURN_FALSE; +@@ -4714,59 +4742,36 @@ PHP_FUNCTION(openssl_pkey_derive) + { + zval *priv_key; + zval *peer_pub_key; +- EVP_PKEY *pkey = NULL; +- EVP_PKEY *peer_key = NULL; +- EVP_PKEY_CTX *ctx = NULL; +- size_t key_size; + zend_long key_len = 0; +- zend_string *result; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "zz|l", &peer_pub_key, &priv_key, &key_len) == FAILURE) { + RETURN_THROWS(); + } + +- RETVAL_FALSE; + if (key_len < 0) { + zend_argument_value_error(3, "must be greater than or equal to 0"); + RETURN_THROWS(); + } + +- key_size = key_len; +- pkey = php_openssl_pkey_from_zval(priv_key, 0, "", 0, 2); ++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(priv_key, 0, "", 0, 2); + if (!pkey) { +- goto cleanup; ++ RETURN_FALSE; + } + +- peer_key = php_openssl_pkey_from_zval(peer_pub_key, 1, NULL, 0, 1); ++ EVP_PKEY *peer_key = php_openssl_pkey_from_zval(peer_pub_key, 1, NULL, 0, 1); + if (!peer_key) { +- goto cleanup; +- } +- +- ctx = EVP_PKEY_CTX_new(pkey, NULL); +- if (!ctx) { +- goto cleanup; +- } +- +- if (EVP_PKEY_derive_init(ctx) > 0 +- && EVP_PKEY_derive_set_peer(ctx, peer_key) > 0 +- && (key_size > 0 || EVP_PKEY_derive(ctx, NULL, &key_size) > 0) +- && (result = zend_string_alloc(key_size, 0)) != NULL) { +- if (EVP_PKEY_derive(ctx, (unsigned char*)ZSTR_VAL(result), &key_size) > 0) { +- ZSTR_LEN(result) = key_size; +- ZSTR_VAL(result)[key_size] = 0; +- RETVAL_NEW_STR(result); +- } else { +- php_openssl_store_errors(); +- zend_string_release_ex(result, 0); +- RETVAL_FALSE; +- } ++ EVP_PKEY_free(pkey); ++ RETURN_FALSE; + } + +-cleanup: ++ zend_string *result = php_openssl_pkey_derive(pkey, peer_key, key_len); + EVP_PKEY_free(pkey); + EVP_PKEY_free(peer_key); +- if (ctx) { +- EVP_PKEY_CTX_free(ctx); ++ ++ if (result) { ++ RETURN_NEW_STR(result); ++ } else { ++ RETURN_FALSE; + } + } + /* }}} */ +-- +2.35.3 + +From dda6e3b15760809b86a5ddf45cc19cc606b408f2 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Thu, 5 Aug 2021 15:58:20 +0200 +Subject: [PATCH 16/39] Avoid DH_compute_key() with OpenSSL 3 + +Instead construct a proper EVP_PKEY for the public key and +perform a derive operation. + +Unfortunately we can't use a common code path here, because +EVP_PKEY_set1_encoded_public_key() formerly known as +EVP_PKEY_set1_tls_encodedpoint() does not appear to work with +DH keys prior to OpenSSL 3. + +(cherry picked from commit cb48260fdd7e8a5a636e68917eca484530af5c94) +--- + ext/openssl/openssl.c | 64 +++++++++++++++++++++++++++---------------- + 1 file changed, 40 insertions(+), 24 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index ceece680b8..1b27f609fe 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4690,16 +4690,48 @@ static zend_string *php_openssl_pkey_derive(EVP_PKEY *key, EVP_PKEY *peer_key, s + return result; + } + ++static zend_string *php_openssl_dh_compute_key(EVP_PKEY *pkey, char *pub_str, size_t pub_len) { ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ EVP_PKEY *peer_key = EVP_PKEY_new(); ++ if (!peer_key || EVP_PKEY_copy_parameters(peer_key, pkey) <= 0 || ++ EVP_PKEY_set1_encoded_public_key(peer_key, (unsigned char *) pub_str, pub_len) <= 0) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(peer_key); ++ return NULL; ++ } ++ ++ zend_string *result = php_openssl_pkey_derive(pkey, peer_key, 0); ++ EVP_PKEY_free(peer_key); ++ return result; ++#else ++ DH *dh = EVP_PKEY_get0_DH(pkey); ++ if (dh == NULL) { ++ return NULL; ++ } ++ ++ BIGNUM *pub = BN_bin2bn((unsigned char*)pub_str, (int)pub_len, NULL); ++ zend_string *data = zend_string_alloc(DH_size(dh), 0); ++ int len = DH_compute_key((unsigned char*)ZSTR_VAL(data), pub, dh); ++ BN_free(pub); ++ ++ if (len < 0) { ++ php_openssl_store_errors(); ++ zend_string_release_ex(data, 0); ++ return NULL; ++ } ++ ++ ZSTR_LEN(data) = len; ++ ZSTR_VAL(data)[len] = 0; ++ return data; ++#endif ++} ++ + /* {{{ Computes shared secret for public value of remote DH key and local DH key */ + PHP_FUNCTION(openssl_dh_compute_key) + { + zval *key; + char *pub_str; + size_t pub_len; +- DH *dh; +- BIGNUM *pub; +- zend_string *data; +- int len; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "sO", &pub_str, &pub_len, &key, php_openssl_pkey_ce) == FAILURE) { + RETURN_THROWS(); +@@ -4708,32 +4740,16 @@ PHP_FUNCTION(openssl_dh_compute_key) + PHP_OPENSSL_CHECK_SIZE_T_TO_INT(pub_len, pub_key, 1); + + EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey; +- + if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) { + RETURN_FALSE; + } + +- dh = EVP_PKEY_get0_DH(pkey); +- if (dh == NULL) { +- RETURN_FALSE; +- } +- +- pub = BN_bin2bn((unsigned char*)pub_str, (int)pub_len, NULL); +- +- data = zend_string_alloc(DH_size(dh), 0); +- len = DH_compute_key((unsigned char*)ZSTR_VAL(data), pub, dh); +- +- if (len >= 0) { +- ZSTR_LEN(data) = len; +- ZSTR_VAL(data)[len] = 0; +- RETVAL_NEW_STR(data); ++ zend_string *result = php_openssl_dh_compute_key(pkey, pub_str, pub_len); ++ if (result) { ++ RETURN_NEW_STR(result); + } else { +- php_openssl_store_errors(); +- zend_string_release_ex(data, 0); +- RETVAL_FALSE; ++ RETURN_FALSE; + } +- +- BN_free(pub); + } + /* }}} */ + +-- +2.35.3 + +From 6da4cc5e00da17af52467285a1101c39e95d0b66 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Wed, 4 Aug 2021 14:54:59 +0200 +Subject: [PATCH 17/39] Use different algorithm in pkcs7 tests + +The default of OPENSSL_CIPHER_RC2_40 is no longer (non-legacy) +supported in OpenSSL 3, specify a newer cipher instead. + +We should probably either change the default (if acceptable) or +make the parameter required. + +(cherry picked from commit 563b3e3472d7c5e3502fb49ef023b6e18ed0f22a) +--- + .../tests/openssl_pkcs7_decrypt_basic.phpt | 3 ++- + .../tests/openssl_pkcs7_encrypt_basic.phpt | 23 ++++++++++--------- + 2 files changed, 14 insertions(+), 12 deletions(-) + +diff --git a/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt b/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt +index eb0698da9f..0d4da7a251 100644 +--- a/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt ++++ b/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt +@@ -19,8 +19,9 @@ $single_cert = "file://" . __DIR__ . "/cert.crt"; + $headers = array("test@test", "testing openssl_pkcs7_encrypt()"); + $wrong = "wrong"; + $empty = ""; ++$cipher = OPENSSL_CIPHER_AES_128_CBC; + +-openssl_pkcs7_encrypt($infile, $encrypted, $single_cert, $headers); ++openssl_pkcs7_encrypt($infile, $encrypted, $single_cert, $headers, 0, $cipher); + var_dump(openssl_pkcs7_decrypt($encrypted, $outfile, $single_cert, $privkey)); + var_dump(openssl_pkcs7_decrypt($encrypted, $outfile, openssl_x509_read($single_cert), $privkey)); + var_dump(openssl_pkcs7_decrypt($encrypted, $outfile, $single_cert, $wrong)); +diff --git a/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt b/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt +index ef9b25e70b..7a600bc292 100644 +--- a/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt ++++ b/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt +@@ -20,19 +20,20 @@ $headers = array("test@test", "testing openssl_pkcs7_encrypt()"); + $empty_headers = array(); + $wrong = "wrong"; + $empty = ""; ++$cipher = OPENSSL_CIPHER_AES_128_CBC; + +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers, 0, $cipher)); + var_dump(openssl_pkcs7_decrypt($outfile, $outfile2, $single_cert, $privkey)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $assoc_headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $empty_headers)); +-var_dump(openssl_pkcs7_encrypt($wrong, $outfile, $single_cert, $headers)); +-var_dump(openssl_pkcs7_encrypt($empty, $outfile, $single_cert, $headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $empty, $single_cert, $headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $wrong, $headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $empty, $headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $multi_certs, $headers)); +-var_dump(openssl_pkcs7_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs) , $headers)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $assoc_headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $empty_headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($wrong, $outfile, $single_cert, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($empty, $outfile, $single_cert, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $empty, $single_cert, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $wrong, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $empty, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $multi_certs, $headers, 0, $cipher)); ++var_dump(openssl_pkcs7_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs), $headers, 0, $cipher)); + + if (file_exists($outfile)) { + echo "true\n"; +-- +2.35.3 + +From e4ab465140753e247a0cd9d9047364e582e59cbe Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Thu, 5 Aug 2021 16:30:55 +0200 +Subject: [PATCH 18/39] Use different algorithm in cms tests + +Same as with pkcs7, switch these tests to use an algorithm that +OpenSSL 3 supports out of the box. + +Once again, we should consider changing the default or making it +required. + +(cherry picked from commit ec4d926a80fe93c80d2b52f0178bc627097d9288) +--- + ext/openssl/tests/openssl_cms_decrypt_basic.phpt | 3 ++- + ext/openssl/tests/openssl_cms_encrypt_der.phpt | 3 ++- + ext/openssl/tests/openssl_cms_encrypt_pem.phpt | 3 ++- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ext/openssl/tests/openssl_cms_decrypt_basic.phpt b/ext/openssl/tests/openssl_cms_decrypt_basic.phpt +index 86c70f4fde..709194ec05 100644 +--- a/ext/openssl/tests/openssl_cms_decrypt_basic.phpt ++++ b/ext/openssl/tests/openssl_cms_decrypt_basic.phpt +@@ -15,8 +15,9 @@ $single_cert = "file://" . __DIR__ . "/cert.crt"; + $headers = array("test@test", "testing openssl_cms_encrypt()"); + $wrong = "wrong"; + $empty = ""; ++$cipher = OPENSSL_CIPHER_AES_128_CBC; + +-openssl_cms_encrypt($infile, $encrypted, $single_cert, $headers); ++openssl_cms_encrypt($infile, $encrypted, $single_cert, $headers, cipher_algo: $cipher); + + var_dump(openssl_cms_decrypt($encrypted, $outfile, $single_cert, $privkey)); + print("\nDecrypted text:\n"); +diff --git a/ext/openssl/tests/openssl_cms_encrypt_der.phpt b/ext/openssl/tests/openssl_cms_encrypt_der.phpt +index e7aa8f4dad..06bfcabeb4 100644 +--- a/ext/openssl/tests/openssl_cms_encrypt_der.phpt ++++ b/ext/openssl/tests/openssl_cms_encrypt_der.phpt +@@ -14,8 +14,9 @@ $decryptfile = $tname . ".out"; + $single_cert = "file://" . __DIR__ . "/cert.crt"; + $privkey = "file://" . __DIR__ . "/private_rsa_1024.key"; + $headers = array("test@test", "testing openssl_cms_encrypt()"); ++$cipher = OPENSSL_CIPHER_AES_128_CBC; + +-var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_DER)); ++var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_DER, $cipher)); + if (openssl_cms_decrypt($cryptfile, $decryptfile, $single_cert, $privkey, OPENSSL_ENCODING_DER) == false) { + print "DER decrypt error\n"; + print "recipient:\n"; +diff --git a/ext/openssl/tests/openssl_cms_encrypt_pem.phpt b/ext/openssl/tests/openssl_cms_encrypt_pem.phpt +index 929f3f2e02..4030862391 100644 +--- a/ext/openssl/tests/openssl_cms_encrypt_pem.phpt ++++ b/ext/openssl/tests/openssl_cms_encrypt_pem.phpt +@@ -14,8 +14,9 @@ $decryptfile = $tname . ".pemout"; + $single_cert = "file://" . __DIR__ . "/cert.crt"; + $privkey = "file://" . __DIR__ . "/private_rsa_1024.key"; + $headers = array("test@test", "testing openssl_cms_encrypt()"); ++$cipher = OPENSSL_CIPHER_AES_128_CBC; + +-var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_PEM)); ++var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_PEM, $cipher)); + if (openssl_cms_decrypt($cryptfile, $decryptfile, $single_cert, $privkey, OPENSSL_ENCODING_PEM) == false) { + print "PEM decrypt error\n"; + print "recipient:\n"; +-- +2.35.3 + +From 3721dfdca9e62d5ecfba130c66b1e910bd2d1689 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Thu, 5 Aug 2021 17:07:44 +0200 +Subject: [PATCH 19/39] Use larger key size for DSA/DH tests + +OpenSSL 3 validates allowed sizes strictly, pick minimum sizes +that are supported. + +(cherry picked from commit 1cf4fb739f7a4fa8404a4c0958f13d04eae519d4) +--- + ext/openssl/tests/bug73711.cnf | 3 --- + ext/openssl/tests/bug73711.phpt | 11 ++++++++--- + 2 files changed, 8 insertions(+), 6 deletions(-) + delete mode 100644 ext/openssl/tests/bug73711.cnf + +diff --git a/ext/openssl/tests/bug73711.cnf b/ext/openssl/tests/bug73711.cnf +deleted file mode 100644 +index 0d27d910d4..0000000000 +--- a/ext/openssl/tests/bug73711.cnf ++++ /dev/null +@@ -1,3 +0,0 @@ +-[ req ] +-default_bits = 384 +- +diff --git a/ext/openssl/tests/bug73711.phpt b/ext/openssl/tests/bug73711.phpt +index 0b3f91b8fe..4e4bba8aa8 100644 +--- a/ext/openssl/tests/bug73711.phpt ++++ b/ext/openssl/tests/bug73711.phpt +@@ -6,9 +6,14 @@ if (!extension_loaded("openssl")) die("skip openssl not loaded"); + ?> + --FILE-- + OPENSSL_KEYTYPE_DSA, 'config' => $cnf])); +-var_dump(openssl_pkey_new(["private_key_type" => OPENSSL_KEYTYPE_DH, 'config' => $cnf])); ++var_dump(openssl_pkey_new([ ++ "private_key_type" => OPENSSL_KEYTYPE_DSA, ++ "private_key_bits" => 1024, ++])); ++var_dump(openssl_pkey_new([ ++ "private_key_type" => OPENSSL_KEYTYPE_DH, ++ "private_key_bits" => 512, ++])); + echo "DONE"; + ?> + --EXPECTF-- +-- +2.35.3 + +From c1b1cba2c21378bc51881c4f5d335405a7384b56 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Wed, 4 Aug 2021 13:54:26 +0200 +Subject: [PATCH 20/39] Skip some tests if cipher not available + +(cherry picked from commit d23a8b33abc3cd7e516563877a3f698b7a94ac10) +--- + ext/openssl/tests/bug71917.phpt | 1 + + ext/openssl/tests/bug72362.phpt | 1 + + ext/openssl/tests/openssl_decrypt_basic.phpt | 15 ++++++++++----- + 3 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/ext/openssl/tests/bug71917.phpt b/ext/openssl/tests/bug71917.phpt +index a68cf0162c..0cc518c4ef 100644 +--- a/ext/openssl/tests/bug71917.phpt ++++ b/ext/openssl/tests/bug71917.phpt +@@ -3,6 +3,7 @@ Bug #71917: openssl_open() returns junk on envelope < 16 bytes + --SKIPIF-- + + --FILE-- + + --FILE-- + +Date: Thu, 5 Aug 2021 16:29:43 +0200 +Subject: [PATCH 21/39] Use different cipher in one more CMS test + +Followup to ec4d926a80fe93c80d2b52f0178bc627097d9288 -- I failed +to squash in this commit. + +(cherry picked from commit a2c201351b32b1a7c44f6c6692c2a9fca9179e17) +--- + .../tests/openssl_cms_encrypt_basic.phpt | 23 ++++++++++--------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/ext/openssl/tests/openssl_cms_encrypt_basic.phpt b/ext/openssl/tests/openssl_cms_encrypt_basic.phpt +index f1a0c6af8b..ee706ebfba 100644 +--- a/ext/openssl/tests/openssl_cms_encrypt_basic.phpt ++++ b/ext/openssl/tests/openssl_cms_encrypt_basic.phpt +@@ -18,20 +18,21 @@ $headers = array("test@test", "testing openssl_cms_encrypt()"); + $empty_headers = array(); + $wrong = "wrong"; + $empty = ""; ++$cipher = OPENSSL_CIPHER_AES_128_CBC; + +-var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $headers)); +-var_dump(openssl_cms_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers)); ++var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers, cipher_algo: $cipher)); + var_dump(openssl_cms_decrypt($outfile, $outfile2, $single_cert, $privkey)); + readfile($outfile2); +-var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $assoc_headers)); +-var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $empty_headers)); +-var_dump(openssl_cms_encrypt($wrong, $outfile, $single_cert, $headers)); +-var_dump(openssl_cms_encrypt($empty, $outfile, $single_cert, $headers)); +-var_dump(openssl_cms_encrypt($infile, $empty, $single_cert, $headers)); +-var_dump(openssl_cms_encrypt($infile, $outfile, $wrong, $headers)); +-var_dump(openssl_cms_encrypt($infile, $outfile, $empty, $headers)); +-var_dump(openssl_cms_encrypt($infile, $outfile, $multi_certs, $headers)); +-var_dump(openssl_cms_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs) , $headers)); ++var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $assoc_headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $empty_headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($wrong, $outfile, $single_cert, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($empty, $outfile, $single_cert, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $empty, $single_cert, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $outfile, $wrong, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $outfile, $empty, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $outfile, $multi_certs, $headers, cipher_algo: $cipher)); ++var_dump(openssl_cms_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs), $headers, cipher_algo: $cipher)); + + if (file_exists($outfile)) { + echo "true\n"; +-- +2.35.3 + +From a78ef37e631f2b6e7804a557d016737010fb15db Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Fri, 6 Aug 2021 10:35:49 +0200 +Subject: [PATCH 22/39] Generate pkcs12_read test inputs on the fly + +The old p12_with_extra_certs.p12 file uses an unsupported something. + +(cherry picked from commit 5843ba518cfb9ac6ae6d6a69629239cbf77d4cfb) +--- + ext/openssl/tests/bug74022_2.phpt | 10 ++-- + .../tests/openssl_pkcs12_read_basic.phpt | 46 ++++++++++-------- + ext/openssl/tests/p12_with_extra_certs.p12 | Bin 3205 -> 0 bytes + 3 files changed, 31 insertions(+), 25 deletions(-) + delete mode 100644 ext/openssl/tests/p12_with_extra_certs.p12 + +diff --git a/ext/openssl/tests/bug74022_2.phpt b/ext/openssl/tests/bug74022_2.phpt +index 5df37fb3c9..9c38387157 100644 +--- a/ext/openssl/tests/bug74022_2.phpt ++++ b/ext/openssl/tests/bug74022_2.phpt +@@ -12,11 +12,13 @@ function test($p12_contents, $password) { + var_dump(count($cert_data['extracerts'])); + } + +-$p12_base64 = 'MIIW+QIBAzCCFr8GCSqGSIb3DQEHAaCCFrAEghasMIIWqDCCEV8GCSqGSIb3DQEHBqCCEVAwghFMAgEAMIIRRQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIQOfCxIAgGIICAggAgIIRGFTkvHpJjCtFjukXYVlhyOIqKiS8Zvg84dX244hhI0S51Uyn/tlXM2GD/3hDNVxcVKwP/fKN21lEkoXoK4h2/5BY3qCdZa3Ef3vk44b/+FGCUAqvsOo1ZjD2P/sBGhLu3aFnQ6ktUXlKV4cnqhlF62AqY4e5efQzmJXn+gI8cSNI5c+qQ0RQgGoRY4nJfvMSZG0/DAkirjGikU/2TZd8LwLkxVUBYbF5/T0fNtA3o99+4tF+8ZRv6ArYjplRdwcBbMbzGhn3ytCq6cmVid9iLjwHJFmvAPXKbmu0Lh5eRRznX9gBWlzGd08Q/ch0MW2ehZTu1A2VrNWl+FKWSk8l0MlSoTPJFutFiejRvMr6VzbQItyJ/mtrNa9b1Hicgoj9HaBB6arx4wKORlbSOxFNOWdTCUhFdqthK5o7b9i/owyVgyY0s7BFEZChc0zGpRq7BLrynY79b+pHKzpil9isuisp1++piHZx9Y/bpC7OP5FlYF9+3TJL0EpEFQD8FqEoqcMFRxIDWGpCQiLGcmL14OH1JKSgOJEAgogsIF/KQhvWeKcUSJlai+0sskl8mOrCt2EJwuRvzmemuzebYN3JMOiBXKONYR0yU8AeAyNTgSBimWhACtikUyfpgZXlIeXyFMvj9fmd0I/zqjaW4upqrCudCOj/CWx7+e+8udfJxI7agWwrZMf1BEkOhRFOHOIuV+IEbaoMP6vVrGlhK71oN+gnoes5ivohpFDJWSZ3+1fMh56vfNynuM2wLJO7FTROPla+4ug33V/2ubGpoIyXn2lTSbuXaYDfsXMa1inakOMW9Q+PHGdIjZrwQU/u9Q2H0IlwFd4uQojZo15SRf4xh5FOuUrrfGRAnp1mWHALTBqd2VnkgqtBl8rXZXqA+CiEhEDhTAQmvf+wCKd3FklrhV+p65YcfRK9OJv5aFQM1/+WbJozF4/Wi5j4rtIDPrgMMEflOyoZIxGxDOaklyAvaasRU2TT8E2LIEvGKOzlrhIZqWyRESjgXdh6l0UBMaVAidIZ0JLf+8fqSZ0Zia5iAaJpm82MQr/PVXC4lqqxDlHhefwM3OKfZVkfAw0a2eePM5YkIxAgMpAstBt32UIixlj/5l4MwqzP8Reb4MsV6Fph2e14vsV1diLBaJI3hrU5UBVEDWV0GSbwdhZLtdubSaBHcv5v9aZ1cdFKL6d2rHksW9ooNnh/ljPxmVlfHbb8sPYDXmLmBNJdNV1gQouhKKrt0ov1J9+sqE53D9+9dfRwf/myYlnyNgqU4vNMrZI2flyugkYoUxIC8stVF46zfL5QkSg3GqdLQC4gpeJ0WdTSyOBaOgUvqGdSARb5bXm1VXF5IxVg1B4v+puNIHS9yuphXUJvw6xWWPjbQAllDrPjMqAbxmF465vFyQP0qEvMjRD+SaFIgW4KjMqfteKo4MgqKTRF4UP9r0HkwRErOznxWDfSxzXYztY6U72NdifN9IIFiBikKQqZvfvaN+1jukehSRpGQHQB5OxeeKThJZJGiUC5Fgvl7lPb6Djx8Rfba/FJvVsR2KFS64sArtUKmC6LcJxEY9WcsiJTHek817zvYej7FD1NxuttNp+ue9ArOoIhOEf08HIOu3d2yjeRlN5CJ/jIdKYlZW6m6Ap1M+OUHhJTF73K6lKKD9Diwa3s6FoqOwtZF4uYwHnCG218BMY8GgEVD73x5KjDOP02Y6EakZNp/9QIqQT4WkMWXMaqAPADtoh8X1FJLlnvs2Ko+hLlPxuPaIA4KvSuuocnWx/6HJbdqHUS/Se+JJo0Igt4Svax1R2kvoIPuQmPmHJ6l7CeZZiNbe+baFSx+V6g/6AgHUsUOSqGvUIEns1uIE9CQ8w0G3yLVonjERJLrdj+em3Pt7fxrxoOI4nwjplX0wJk0rkQREiS8ULQDHueptUcxJxMKpugAc4CL+BsHohkhm4kpOEmviKDwzxytQhDp2Fj2PRO9kqyNrNfzNGCN5709blEIVYTtonELI2vR5Ap+O2pH+AlqrnHWgeOYAKAyWT13xCNRsGNdv2sCDDiHqxq01IBzYhPvoWzECOmGbJRRSGOVzYCJJpVjl0NNKv9ucmftSQRjm6xgLIqv1xrehDYuJ/IMsYQ5QwXBGxy7nkeRg+onWzA0ZnEWgzLs3T/Pj7z/TPQWiN03MH24RvQXTWBqp9iBwXpsCZVgUIM/VLCQJn0/V5gfRy9Ne0rk2/tHMnzGHvll5Spoy6WkxSfQ8c8CjTilaoPWV6fOcNB2Z6ZuTqX0fbnxcEAu2fOK7e6ryGipEgaxrdiopDTlgPEFMdGUETbUh0ACrv/gNsS+m5MtNisWnhxFEiXrsWoWIgW/6TgRJGo+l52bh/xxC0bwHbYuHK62sxDVeXpBOnA4VE+WckWsC0CKYJvv4vfTbLI46fyd3lnlcSuHYM4SdbND7THNeK+KB5GyuUFLgAhhtZv8ceEo63IOlBUUy1NlWnr0cbidxvVnOugFLExCV5QGr+xbrssIibQxs8AfOBK8Cxh83IlzJVe7dX1mZVG1c6AM6SKSC6F0LBOeNEvcLlz4PBMIciubCE6ecdXCzJYFbj9ERDlnrZMKrnATRMsgCPaWdyYgQwkDuCj5uqf4aiKLzA61918hLY3MB7mSyJcCkXDYKr11Br0YSAdu8uG6IjpiUQS2PFz8E8XHBmO/uobhEuCPR2LnUv+xFN8zoPQlA5ueRz1yBF8L+CsvDGp/N3KF26ETWlvmnEdt7foE+o/J7aG6xO/CNB+/+yGbVPZRVAntZec9nbqlQ55qECnWtQNnShW7+3RSGamWeTtE2DyRSfd/62JkPNEY25jbBUIkMNtKolA5dbYa+u50S3lvakMmvQvzcSC3PONajKHgk4mBn3qf9X2uM5RDL83M7489r6JPcxTnNK27rQoxplkxLiN8HuB+AB5hp82WoyvLydR4hoBnJPIYKMcmEfIR+SgLoCyNIQLjzk5Iyk1ZwdwsjyNPXi1/HHZq8+NhoTCupjGfWgXghoz89MTYAjpMvOlES2rgFuCdphSc8Nd1uQtZx4CLMOU0gut0PI81ePBBI0iG74PWMEcp5HlHHY/hPTaRkBFLYkq9CWmJc1PfjiCWf3pwRmT7dUnmcptynexIMOZt2Nd76jc+g7k5MmEK+Qdz7/c1un4sVLquxdY6nUY/znLz+2zC/OTSsF39+rak3p8TXR0kBNsHl8UTioi4CGhCMsWsQy9me25TDHzbtIvBPVp9xXufsOe2wqPLjq3iNEGXTsagx3sLvl7BJ6WW/YMC7sUpjx1Ai3zkqViW0jQB+BzMZjfYM/8Yj31EEE+WssxY+NfitBgZzeMGGjNOAKp7XN0glwhuo1G2/APyU/Zopx3gMYj5OExgkZ7kvK++7+NlPmE+8AEuZ/uf30TtKwvRXOSvAMqqm26kb/WQPCj1xFQ0AEDl0Sbyfgk1E51Cd/ujL0t32FNkSoE8pe3IaTnwAnW7NHTZ/RByh2nsr0ThfFg4pFFuSD4dzU8r2J/4YJG3B06eyyTRLoyLBQwzwIgzGBAU8USdD8CXlA8SkfBbF39500ZRNcMIt6wdQa1CHAUHDLPw9JF9Q0FwCspgkjc9+lTRZMtumN5ChgypSkUB1dzLV2hqeQzDngVjcco/CoxM0Svm8gGrM9qobCTGzGF8/wZljv1yRiqu6HGFYWDAQ/p+wWx6ScstxEAB+5R5GrOedgd4zPXi2NMvyeN+ACFRBSPkhXIXpLZADvBi/WQMYbHia1wL8WUrSGQuB4P46cWGyseaxl//6GQ9IoGbK3XuLIPeE+BpPLB0H9LSLY+5f3qOEkKzCCW0z+68ZMlanlsThLKhqk8yrmJhV4788Tr7BC3eGbAie1urrrfUR613Jsp5peLSJuWQHdWCE/fdKgoSsRJ+DYkPoyS1YNz4BF4yz1Oem9Mti7gvgTQNX6g6PCu0rN8B6HIgY9TvWy5OCoZjJKasb+OgTMld7TJDnyK5/JcvDKHNVwcpK74lxcVX7IRorP/eh4IQ1+P/Gh06A62RHp2dEh/fNuKeCiRM2vGH0gdIN/Ca6MX8MqazgJq2EONyWiqRoGPqqZpAVTa8l5kgGvxQE/CQ4x0uAxwresRRTUZ+fJEanAhTWYgI5mRoEkG88UZjyCWmCnpNMQRYHoq7iY0So5qUdkHvpUA48cNMyztPEEHsUyWC36ZCyNsQN26FoJrG9TqXedBrhcki0sPOWugvKtGsdTT354wJTDe5OCo0AH3eFo/auuuAk/DF7yu614UCmKtXHYJ61GpIkjBu9WrPAIJhndMqfGMD/yU4UMEPHyojqHvU0BSgv1k76vI3K2lqERkaNYFfzRNj+e7k+NNos8w7XCzilWBL2ePB3pG5xfivcH4tYFm0FbnIkSz52VIy+PTiK7QQuBPDRTcn1k41+9vxQxRWpsqM/NP+4gqGozNyANXLQ64Y+QXSnWrD+xMjL/kVFwUBJ2HaAIJHjZ7ZqLRzXVOUbQ9pivJiBkXvLptSo72Iw4zsbRd1x8WNEaihx1MBAj+s+4MNdC5MBkQMlSB0PTJzs9xlz0gN+Oz0lohH6JO7ngPJUYbo2AIWEYZN+9kn/RyHblQTElrJeLf1jGNi4anBfzbsIXQuVm/nsrE5MH23X66+rJzUk8Fc5JAIDGBslkDPg3UNnElcE3cYbcB/ZzjFtgz8ducWKQmI+Yqv4p7BVXji/rHPim8vL6P5xZc95tbIonp5bQH+PPSmcfDk3rrf5mS58dJvWh/UpwcfdVvUAsWLJEV1lUBg1qecVbCsa6Oy7tJ2ZK7e3KdtZrmXiYpSAnSzRNJotr4g4H99brG6IwUx3qk5BE4x3C8MpSb+1NcKnM9nhqwAGRb9sfVXG38eNltm7hDnsolQcFQmHkDSM4arUVRqmsG8O16bThtlFWbYYN355aGQxrO2pICnt0ZOAI5CA3Rl8FprhFZgVy4pcpMVwy2zCNaYGJoGYsxDm/lEWJbTGcVm6YkyaZvdkXM1uAVegLZOCKnlW9H7b1uU3NvUw4Qx3DhI5xMD9jZhlXIsYfa9s5NQjTeIX8fFbx1fdENpHjVRxs82DO26uLEaJpoL/Ywn1xfs1uV0VQb2NGPvUJKysjMRoX0Zfa0hsSBhw/ZSlyX1xfQY8ShusVswf3zEnwI1LTgtr0CvBNwnuaSDv/IoypEfCOuMrJEGJuTPDbGGyS4VeRf0He5Dk9RskehgrJcwhlw+hXajR6SluODcsEGfL+eOUjAOO9agWaqM2CfV52/vJNhA5KMEJwHuQAU1SHr4+xaW4EKWPlxB6Sjjz/IuL+toLBetBA3ZhEfokac6rQplUIiOICd3Ghwi1rpUZPL5YuP0murhpBGTdzMzGSMhSZ74LeAcoRKEG4rKKIS3fRS65QMlaLC6uOT8givHdXsk+4zLBF0BnYAe4bq8RDcpt9TJRczL6+NaxYxa36R+DRin4U1SwaUdIvEKaEDBdVLnzKkpAim5cww1MYkGZmFcVg8u8fSnoz5TeorZy00dQCMCC+SyMb58TTA08UrCOSq07+ILregexlx+Cxpbgpabo858lkJLDpPJmq8YQmog2gaMstJbpyV3M4wf1GL4ylPurPWUuyX58H8oRyX/FH79cpsbyeNoghwfvRVw8/tOUyF1DbA8Lw0HauIHTQwMTOvREPCPmlMvldIUJxHqIpqcsXESIWT/+YaHBiKGueGqPOdkFPtXSyf4t1Ka56M/9ftvdR/oFtr/iApE0Hyosz84INF/Rq9HYd8jrVb3IcQw637U2s4sE+I95+c+VaYxcDq29Jd2jD3uZfn6vbxb7Zz//Z8G4PGBNDns+D/jDoAMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECDpR8wgSXD4AAgIIAASCBMijRdwb0L38qXtBGebx6l35L3eR8/NPfJTyDKqYQOiIhNfYp/f+Ml9g3NlCB+ba03BZBCFSo1a9csjMZ1fDgS5AoNE683hbPdNj6D5JYQtvOpX/D5rawmI0iuDTIc6GOpN5PS0ds9OLnlS6pagq3U7QycuiPR0jVq72qzQUDxnqXU0XO+IwQXFP5UhKrPJe/cbUotznQPGH5g88ydM9YelIvIVImXLlXeVLY8CtzRQPSduX1zckVUMktrpSvqJUhVuN4ikhh+4ga1LvtaziOibk6HNekSlN13sqSQ7GeWGToB1AOmN8i1LZmWRnrPG61dT3uPg0R/5rPq6hrNQvAnx7Mpq7Uz1OuzDzGoaBtX+/CVIpeYLAYm7hdKouT84hk7qsT9ls1Dwb5P1C8HjBWas0KufoyxoHL61A+xGIcHkbOeVNy20AFUf7Xhb+kPlSdOhP3Ik1F2iUXa0pFxqTNcsmTDRzAReciYxVJ0lOTbqX7O6/a+U/sT109GqVGZJcpyk1FCUSk3HWbjSKOhxjpvxqfSKexr9ZOTmih7rBNYSY6sRUYgtpQyWNo8iWilwSP3FCBCbRIJrzJ5O6wn0JDTHONqxS9zENz/MvX8oHEZk+mkpxZA4YCodP10zQjzKHsXI1lRWrUARzpDfqGck1BBXXLrLNDL3w+00ipkTdEgtdhNFtHZ7A0Fda62ys5JTKt/oWSi0FPhjXdGnxf+8rBkB/jlKx99Ue6R4S+ve7Eqyl98TelFvX5C6wa63+/kw4/8L5aSlhrAUyYrykmnZ9nb61YY4HTmwpSJP0tHmr3LHxPVx15vp3KIyrYQVvbap+FvfcLjMoU6ckLQDZpQSJdFo86MdNedrKbwmVN7pV/M2b3DjPp5ixLCSXJgK3RaATIxQL88IDv4+ySL0Z2t6jUopZ40liyDnHGDl9zajeQ1WaW4yHS65aVlzYHSFvCGr8F/4Lydk5ax5HHqna6LbFeuQ4kUcUaGfiIagtFW+ueyfOckqLnwYisjG5fQmheONPHb7jg/qHQoKasD4TvmwrvUcG20c5J57oZ80C94zySYpdHTaETXHEOwz7NBPP1hplC1IaAfbhwZ48Z0kWWqddfELUC5miapzthvzpycOzL6zWmTLjyTXPZrbkqYfVrD26bsD/YOo54BThGcBdEfu2chT2eNF0rRZwF5U9TACfzMFYxUIVRq4rWAaerppkK5JNBT/la2QxUElh9HPn+0GGL1BYYEPCihciwWy2BwJs1IgjhU4ARTlukuxK+WLPTflwvlOX5G1P5D57up8kxtDncR5IIuZJgWWSFLGOkGeHXmjynLMqS1OCzIId3dj0c3EYBnku82eItAQd5fk7/rs0Lg0S1XeVSrgPphTgviGXzTWSh28S3VZJ2G7k4dr1P/sJQounjbcDrFyYaFxYXEqyO9L6vFShO5z7/vD5h9uLPddE4vC6PKJxZoWopWncLcLljuYKG0k+y4MV9U0/cESYJWzBbcZZpULdesinhxMg1wNPu5FeeFCsZpdhN2FadIuu/Kcsk6xNeDDIwwYXb3hVY0ARRAo//LyLv3zDB0LWz1LH3qJQeZ53DbgZ4VXQ6uK0yTgSsH4Lwaj5oFBPp4NJ3hdGa7trpJbeUMIxJTAjBgkqhkiG9w0BCRUxFgQUh6FIxf4sbyJnvvC+6J1NHGaa9w0wMTAhMAkGBSsOAwIaBQAEFFkCkI701QHxh2zcZkzDy8bn7qKwBAjafnZaU5r0FgICCAA='; ++$cert = file_get_contents(__DIR__ . "/public.crt"); ++$priv = file_get_contents(__DIR__ . "/private.crt"); ++$extracert = file_get_contents(__DIR__ . "/cert.crt"); ++$pass = "qwerty"; ++openssl_pkcs12_export($cert, $p12, $priv, $pass, array('extracerts' => [$extracert, $extracert])); + +-$p12 = base64_decode($p12_base64); +- +-test($p12, 'qwerty'); ++test($p12, $pass); + ?> + --EXPECT-- + int(2) +diff --git a/ext/openssl/tests/openssl_pkcs12_read_basic.phpt b/ext/openssl/tests/openssl_pkcs12_read_basic.phpt +index b81b4d9dac..8cb2b41fd7 100644 +--- a/ext/openssl/tests/openssl_pkcs12_read_basic.phpt ++++ b/ext/openssl/tests/openssl_pkcs12_read_basic.phpt +@@ -4,10 +4,12 @@ openssl_pkcs12_read() tests + + --FILE-- + $extracert)); + + var_dump(openssl_pkcs12_read("", $certs, "")); + var_dump(openssl_pkcs12_read($p12, $certs, "")); +@@ -73,24 +75,26 @@ MK80GEnRQIkB7uZVk+r0HusK + ["extracerts"]=> + array(1) { + [0]=> +- string(1111) "-----BEGIN CERTIFICATE----- +-MIIDBjCCAe4CCQDaL5/+UVeXuTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB +-VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +-cyBQdHkgTHRkMB4XDTE1MDYxMDEyNDAwNVoXDTE2MDYwOTEyNDAwNVowRTELMAkG +-A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 +-IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +-AL/IF7bW0vpEg5A054SDqTi5pkSeie6nyIT77qCAVI5PMlhNjxuqDIlLpCWonvKb +-LMRtp7t24BsQBRgQgps8mtfRr0gV1qq9HMfDj2bZdGcTShZN/M/BFATwxaNRTHl9 +-ey8zxGcLd4aFFBlVhXHYdBXg/PG/oxJMAFuMwa+KxSP6Mqp1FlOZtvUUieQcToMf +-Mh8Lbr4g/yHFj5lgWIJ2fmJjHJZ4wf9QBeGUrVqqxzSDEL9f0PGy+grqSHoIzLr3 +-+uhvhoI85nCyZs9+lrELuQKqbiZ8Q6Vmj6JGt3miNBFVTbBpP9GK8sVuVQwgqd8p +-C3e8hHqv7vwF+s0zjiZ+rCcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdpTtiyDJ +-0wLB18iunXCMUJpjc/HVYEp5P9vl2E/bcZfGns/8KxNHoe9mgJycr3mwjCjMjVx2 +-L/9q/8XoT02aBncwAx4oZ2H0qfjZppaUSnSc1Uv+dsldDC2mZvJgwXN7jtQmU5P3 +-cspFHuJoYK8AqYJqlO6E4L9uRF7dLEliUnrBpF4BxziwskTquRX+zgD+fmk0L5O8 +-qqvm8btWCxfng+qD7UHFWbUQ2IegZ3VrBWJ2XsxOvokMM4HoHVb0BZgq8Dvu0XJ9 +-EriEQkcydtrRKtlcWHLKcJuNUnkw2qfj+F8mmdaZib8Apa1UCkt0ZlpyYO3V2ejY +-WIjafwJYrv6f5g== ++ string(1249) "-----BEGIN CERTIFICATE----- ++MIIDbDCCAtWgAwIBAgIJAK7FVsxyN1CiMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD ++VQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5kZSBkbyBTdWwxFTATBgNVBAcTDFBv ++cnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlxdWUgZG8gTi4gQW5nZWxvMR8wHQYJ ++KoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0MB4XDTA4MDYzMDEwMjg0M1oXDTA4 ++MDczMDEwMjg0M1owgYExCzAJBgNVBAYTAkJSMRowGAYDVQQIExFSaW8gR3JhbmRl ++IGRvIFN1bDEVMBMGA1UEBxMMUG9ydG8gQWxlZ3JlMR4wHAYDVQQDExVIZW5yaXF1 ++ZSBkbyBOLiBBbmdlbG8xHzAdBgkqhkiG9w0BCQEWEGhuYW5nZWxvQHBocC5uZXQw ++gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMteno+QK1ulX4/WDAVBYfoTPRTz ++e4SZLwgael4jwWTytj+8c5nNllrFELD6WjJzfjaoIMhCF4w4I2bkWR6/PTqrvnv+ ++iiiItHfKvJgYqIobUhkiKmWa2wL3mgqvNRIqTrTC4jWZuCkxQ/ksqL9O/F6zk+aR ++S1d+KbPaqCR5Rw+lAgMBAAGjgekwgeYwHQYDVR0OBBYEFNt+QHK9XDWF7CkpgRLo ++Ymhqtz99MIG2BgNVHSMEga4wgauAFNt+QHK9XDWF7CkpgRLoYmhqtz99oYGHpIGE ++MIGBMQswCQYDVQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5kZSBkbyBTdWwxFTAT ++BgNVBAcTDFBvcnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlxdWUgZG8gTi4gQW5n ++ZWxvMR8wHQYJKoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0ggkArsVWzHI3UKIw ++DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCP1GUnStC0TBqngr3Kx+zS ++UW8KutKO0ORc5R8aV/x9LlaJrzPyQJgiPpu5hXogLSKRIHxQS3X2+Y0VvIpW72LW ++PVKPhYlNtO3oKnfoJGKin0eEhXRZMjfEW/kznY+ZZmNifV2r8s+KhNAqI4PbClvn ++4vh8xF/9+eVEj+hM+0OflA== + -----END CERTIFICATE----- + " + } + +-- +2.35.3 + +From b9b0a9a1a42cbbea0d2fab27360fc5c62c98a6e4 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Fri, 6 Aug 2021 11:15:18 +0200 +Subject: [PATCH 23/39] Do not special case export of EC keys + +All other private keys are exported in PKCS#8 format, while EC +keys use traditional format. Switch them to use PKCS#8 format as +well. + +As the OpenSSL docs say: + +> PEM_write_bio_PrivateKey_traditional() writes out a private key +> in the "traditional" format with a simple private key marker and +> should only be used for compatibility with legacy programs. + +(cherry picked from commit f2d3e75933fa155a5281c824263780dbc660ecb1) +--- + ext/openssl/openssl.c | 36 ++++--------------- + .../tests/openssl_pkey_export_basic.phpt | 6 +++- + 2 files changed, 11 insertions(+), 31 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 1b27f609fe..4a151cf2d7 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4327,21 +4327,9 @@ PHP_FUNCTION(openssl_pkey_export_to_file) + cipher = NULL; + } + +- switch (EVP_PKEY_base_id(key)) { +-#ifdef HAVE_EVP_PKEY_EC +- case EVP_PKEY_EC: +- pem_write = PEM_write_bio_ECPrivateKey( +- bio_out, EVP_PKEY_get0_EC_KEY(key), cipher, +- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); +- break; +-#endif +- default: +- pem_write = PEM_write_bio_PrivateKey( +- bio_out, key, cipher, +- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); +- break; +- } +- ++ pem_write = PEM_write_bio_PrivateKey( ++ bio_out, key, cipher, ++ (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); + if (pem_write) { + /* Success! + * If returning the output as a string, do so now */ +@@ -4399,21 +4387,9 @@ PHP_FUNCTION(openssl_pkey_export) + cipher = NULL; + } + +- switch (EVP_PKEY_base_id(key)) { +-#ifdef HAVE_EVP_PKEY_EC +- case EVP_PKEY_EC: +- pem_write = PEM_write_bio_ECPrivateKey( +- bio_out, EVP_PKEY_get0_EC_KEY(key), cipher, +- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); +- break; +-#endif +- default: +- pem_write = PEM_write_bio_PrivateKey( +- bio_out, key, cipher, +- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); +- break; +- } +- ++ pem_write = PEM_write_bio_PrivateKey( ++ bio_out, key, cipher, ++ (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL); + if (pem_write) { + /* Success! + * If returning the output as a string, do so now */ +diff --git a/ext/openssl/tests/openssl_pkey_export_basic.phpt b/ext/openssl/tests/openssl_pkey_export_basic.phpt +index 678b7e7299..5cd68d18b8 100644 +--- a/ext/openssl/tests/openssl_pkey_export_basic.phpt ++++ b/ext/openssl/tests/openssl_pkey_export_basic.phpt +@@ -47,7 +47,11 @@ var_dump($key instanceof OpenSSLAsymmetricKey); + object(OpenSSLAsymmetricKey)#%d (0) { + } + bool(true) +------BEGIN EC PRIVATE KEY-----%a-----END EC PRIVATE KEY----- ++-----BEGIN PRIVATE KEY----- ++MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgs+Sqh7IzteDBiS5K ++PfTvuWuyt9YkrkuoyiW/6bag6NmhRANCAAQ+riFshYe8HnWt1avx6OuNajipU1ZW ++6BgW0+D/EtDDSYeQg9ngO8qyo5M6cyh7ORtKZVUy7DP1+W+eocaZC+a6 ++-----END PRIVATE KEY----- + bool(true) + bool(true) + object(OpenSSLAsymmetricKey)#%d (0) { +-- +2.35.3 + +From af97ffecf1c98606c65cabe5b150b5447a0d2c53 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Fri, 6 Aug 2021 16:51:05 +0200 +Subject: [PATCH 24/39] Switch manual DH key generation to param API + +Instead of using the deprecated low-level interface. + +This should also avoid issues with fetching parameters from +legacy keys, cf. https://github.com/openssl/openssl/issues/16247. + +(cherry picked from commit a7740a0bf00704372353ea4360c3e6b58102a6f7) +--- + ext/openssl/openssl.c | 136 ++++++++++++++++++++++++++++++++++-------- + 1 file changed, 112 insertions(+), 24 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 4a151cf2d7..2493fd777c 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -56,6 +56,10 @@ + #include + #include + #include ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++#include ++#include ++#endif + + /* Common */ + #include +@@ -4021,8 +4025,8 @@ static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM + } + /* }}} */ + +-/* {{{ php_openssl_pkey_init_dh */ +-static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data, bool *is_private) ++#if PHP_OPENSSL_API_VERSION < 0x30000 ++static zend_bool php_openssl_pkey_init_legacy_dh(DH *dh, zval *data, bool *is_private) + { + BIGNUM *p, *q, *g, *priv_key, *pub_key; + +@@ -4054,9 +4058,108 @@ static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data, bool *is_private) + return 0; + } + /* all good */ ++ *is_private = true; + return 1; + } +-/* }}} */ ++#endif ++ ++static EVP_PKEY *php_openssl_pkey_init_dh(zval *data, bool *is_private) ++{ ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv_key = NULL, *pub_key = NULL; ++ EVP_PKEY *param_key = NULL, *pkey = NULL; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); ++ OSSL_PARAM *params = NULL; ++ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); ++ ++ OPENSSL_PKEY_SET_BN(data, p); ++ OPENSSL_PKEY_SET_BN(data, q); ++ OPENSSL_PKEY_SET_BN(data, g); ++ OPENSSL_PKEY_SET_BN(data, priv_key); ++ OPENSSL_PKEY_SET_BN(data, pub_key); ++ ++ if (!ctx || !bld || !p || !g) { ++ goto cleanup; ++ } ++ ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p); ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g); ++ if (q) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q); ++ } ++ if (priv_key) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key); ++ if (!pub_key) { ++ pub_key = php_openssl_dh_pub_from_priv(priv_key, g, p); ++ if (!pub_key) { ++ goto cleanup; ++ } ++ } ++ } ++ if (pub_key) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key); ++ } ++ ++ params = OSSL_PARAM_BLD_to_param(bld); ++ if (!params) { ++ goto cleanup; ++ } ++ ++ if (EVP_PKEY_fromdata_init(ctx) <= 0 || ++ EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) { ++ goto cleanup; ++ } ++ ++ if (pub_key || priv_key) { ++ *is_private = priv_key != NULL; ++ EVP_PKEY_up_ref(param_key); ++ pkey = param_key; ++ } else { ++ *is_private = true; ++ PHP_OPENSSL_RAND_ADD_TIME(); ++ EVP_PKEY_CTX_free(ctx); ++ ctx = EVP_PKEY_CTX_new(param_key, NULL); ++ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) { ++ goto cleanup; ++ } ++ } ++ ++cleanup: ++ php_openssl_store_errors(); ++ EVP_PKEY_free(param_key); ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(bld); ++ BN_free(p); ++ BN_free(q); ++ BN_free(g); ++ BN_free(priv_key); ++ BN_free(pub_key); ++ return pkey; ++#else ++ EVP_PKEY *pkey = EVP_PKEY_new(); ++ if (!pkey) { ++ php_openssl_store_errors(); ++ return NULL; ++ } ++ ++ DH *dh = DH_new(); ++ if (!dh) { ++ EVP_PKEY_free(pkey); ++ return NULL; ++ } ++ ++ if (!php_openssl_pkey_init_legacy_dh(dh, data, is_private) ++ || !EVP_PKEY_assign_DH(pkey, dh)) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(pkey); ++ DH_free(dh); ++ return NULL; ++ } ++ ++ return pkey; ++#endif ++} + + /* {{{ Generates a new private key */ + PHP_FUNCTION(openssl_pkey_new) +@@ -4118,28 +4221,13 @@ PHP_FUNCTION(openssl_pkey_new) + RETURN_FALSE; + } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dh", sizeof("dh") - 1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { +- pkey = EVP_PKEY_new(); +- if (pkey) { +- DH *dh = DH_new(); +- if (dh) { +- bool is_private; +- if (php_openssl_pkey_init_dh(dh, data, &is_private)) { +- if (EVP_PKEY_assign_DH(pkey, dh)) { +- php_openssl_pkey_object_init(return_value, pkey, is_private); +- return; +- } else { +- php_openssl_store_errors(); +- } +- } +- DH_free(dh); +- } else { +- php_openssl_store_errors(); +- } +- EVP_PKEY_free(pkey); +- } else { +- php_openssl_store_errors(); ++ bool is_private; ++ pkey = php_openssl_pkey_init_dh(data, &is_private); ++ if (!pkey) { ++ RETURN_FALSE; + } +- RETURN_FALSE; ++ php_openssl_pkey_object_init(return_value, pkey, is_private); ++ return; + #ifdef HAVE_EVP_PKEY_EC + } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "ec", sizeof("ec") - 1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { +-- +2.35.3 + +From 3a377b2e852b5164439d2e376ff5e9012a5dd27b Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Fri, 6 Aug 2021 17:14:58 +0200 +Subject: [PATCH 25/39] Switch manual DSA key generation to param API + +This is very similar to the DH case, with the primary difference +that priv_key is ignored if pub_key is not given, rather than +generating pub_key from priv_key. Would be nice if these worked +the same (in which case we should probably also unify the keygen +for FFC algorithms, as it's very similar). + +(cherry picked from commit 2bf316fdfc0cfc4b6a5e27c9a13274d01b4b298f) +--- + ext/openssl/openssl.c | 126 ++++++++++++++++++++++++++++++++++-------- + 1 file changed, 102 insertions(+), 24 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 2493fd777c..732007be73 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3946,8 +3946,8 @@ static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, + return 1; + } + +-/* {{{ php_openssl_pkey_init_dsa */ +-static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data, bool *is_private) ++#if PHP_OPENSSL_API_VERSION < 0x30000 ++static zend_bool php_openssl_pkey_init_legacy_dsa(DSA *dsa, zval *data, bool *is_private) + { + BIGNUM *p, *q, *g, *priv_key, *pub_key; + const BIGNUM *priv_key_const, *pub_key_const; +@@ -3980,9 +3980,102 @@ static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data, bool *is_privat + return 0; + } + /* all good */ ++ *is_private = true; + return 1; + } +-/* }}} */ ++#endif ++ ++static EVP_PKEY *php_openssl_pkey_init_dsa(zval *data, bool *is_private) ++{ ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv_key = NULL, *pub_key = NULL; ++ EVP_PKEY *param_key = NULL, *pkey = NULL; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, NULL); ++ OSSL_PARAM *params = NULL; ++ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); ++ ++ OPENSSL_PKEY_SET_BN(data, p); ++ OPENSSL_PKEY_SET_BN(data, q); ++ OPENSSL_PKEY_SET_BN(data, g); ++ OPENSSL_PKEY_SET_BN(data, priv_key); ++ OPENSSL_PKEY_SET_BN(data, pub_key); ++ ++ if (!ctx || !bld || !p || !q || !g) { ++ goto cleanup; ++ } ++ ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p); ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q); ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g); ++ // TODO: We silently ignore priv_key if pub_key is not given, unlike in the DH case. ++ if (pub_key) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key); ++ if (priv_key) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key); ++ } ++ } ++ ++ params = OSSL_PARAM_BLD_to_param(bld); ++ if (!params) { ++ goto cleanup; ++ } ++ ++ if (EVP_PKEY_fromdata_init(ctx) <= 0 || ++ EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) { ++ goto cleanup; ++ } ++ ++ if (pub_key) { ++ *is_private = priv_key != NULL; ++ EVP_PKEY_up_ref(param_key); ++ pkey = param_key; ++ } else { ++ *is_private = true; ++ PHP_OPENSSL_RAND_ADD_TIME(); ++ EVP_PKEY_CTX_free(ctx); ++ ctx = EVP_PKEY_CTX_new(param_key, NULL); ++ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) { ++ goto cleanup; ++ } ++ } ++ ++cleanup: ++ php_openssl_store_errors(); ++ EVP_PKEY_free(param_key); ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(bld); ++ BN_free(p); ++ BN_free(q); ++ BN_free(g); ++ BN_free(priv_key); ++ BN_free(pub_key); ++ return pkey; ++#else ++ EVP_PKEY *pkey = EVP_PKEY_new(); ++ if (!pkey) { ++ php_openssl_store_errors(); ++ return NULL; ++ } ++ ++ DSA *dsa = DSA_new(); ++ if (!dsa) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(pkey); ++ return NULL; ++ } ++ ++ if (!php_openssl_pkey_init_legacy_dsa(dsa, data, is_private) ++ || !EVP_PKEY_assign_DSA(pkey, dsa)) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(pkey); ++ DSA_free(dsa); ++ return NULL; ++ } ++ ++ return pkey; ++#endif ++} + + /* {{{ php_openssl_dh_pub_from_priv */ + static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM *p) +@@ -4197,28 +4290,13 @@ PHP_FUNCTION(openssl_pkey_new) + RETURN_FALSE; + } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dsa", sizeof("dsa") - 1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { +- pkey = EVP_PKEY_new(); +- if (pkey) { +- DSA *dsa = DSA_new(); +- if (dsa) { +- bool is_private; +- if (php_openssl_pkey_init_dsa(dsa, data, &is_private)) { +- if (EVP_PKEY_assign_DSA(pkey, dsa)) { +- php_openssl_pkey_object_init(return_value, pkey, is_private); +- return; +- } else { +- php_openssl_store_errors(); +- } +- } +- DSA_free(dsa); +- } else { +- php_openssl_store_errors(); +- } +- EVP_PKEY_free(pkey); +- } else { +- php_openssl_store_errors(); ++ bool is_private; ++ pkey = php_openssl_pkey_init_dsa(data, &is_private); ++ if (!pkey) { ++ RETURN_FALSE; + } +- RETURN_FALSE; ++ php_openssl_pkey_object_init(return_value, pkey, is_private); ++ return; + } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dh", sizeof("dh") - 1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { + bool is_private; +-- +2.35.3 + +From 3018e5994bf3c2fb2bfab8c21bd5052b3a0064d9 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Sun, 8 Aug 2021 17:39:06 +0200 +Subject: [PATCH 26/39] Use OpenSSL NCONF APIs (#7337) + +(cherry picked from commit 94bc5fce261a4a56a545bdfb25d5c2452a07de08) +--- + ext/openssl/openssl.c | 66 +++++++++++++++++++++++-------------------- + 1 file changed, 36 insertions(+), 30 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 732007be73..098b1163c6 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -587,8 +587,8 @@ int php_openssl_get_ssl_stream_data_index() + static char default_ssl_conf_filename[MAXPATHLEN]; + + struct php_x509_request { /* {{{ */ +- LHASH_OF(CONF_VALUE) * global_config; /* Global SSL config */ +- LHASH_OF(CONF_VALUE) * req_config; /* SSL config for this request */ ++ CONF *global_config; /* Global SSL config */ ++ CONF *req_config; /* SSL config for this request */ + const EVP_MD * md_alg; + const EVP_MD * digest; + char * section_name, +@@ -804,13 +804,13 @@ static time_t php_openssl_asn1_time_to_time_t(ASN1_UTCTIME * timestr) /* {{{ */ + } + /* }}} */ + +-static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, LHASH_OF(CONF_VALUE) * config) /* {{{ */ ++static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, CONF *config) /* {{{ */ + { + X509V3_CTX ctx; + + X509V3_set_ctx_test(&ctx); +- X509V3_set_conf_lhash(&ctx, config); +- if (!X509V3_EXT_add_conf(config, &ctx, (char *)section, NULL)) { ++ X509V3_set_nconf(&ctx, config); ++ if (!X509V3_EXT_add_nconf(config, &ctx, (char *)section, NULL)) { + php_openssl_store_errors(); + php_error_docref(NULL, E_WARNING, "Error loading %s section %s of %s", + section_label, +@@ -822,17 +822,24 @@ static inline int php_openssl_config_check_syntax(const char * section_label, co + } + /* }}} */ + +-static char *php_openssl_conf_get_string( +- LHASH_OF(CONF_VALUE) *conf, const char *group, const char *name) { +- char *str = CONF_get_string(conf, group, name); +- if (str == NULL) { +- /* OpenSSL reports an error if a configuration value is not found. +- * However, we don't want to generate errors for optional configuration. */ +- ERR_clear_error(); +- } ++static char *php_openssl_conf_get_string(CONF *conf, const char *group, const char *name) { ++ /* OpenSSL reports an error if a configuration value is not found. ++ * However, we don't want to generate errors for optional configuration. */ ++ ERR_set_mark(); ++ char *str = NCONF_get_string(conf, group, name); ++ ERR_pop_to_mark(); + return str; + } + ++static long php_openssl_conf_get_number(CONF *conf, const char *group, const char *name) { ++ /* Same here, ignore errors. */ ++ long res = 0; ++ ERR_set_mark(); ++ NCONF_get_number(conf, group, name, &res); ++ ERR_pop_to_mark(); ++ return res; ++} ++ + static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */ + { + char * str; +@@ -844,7 +851,7 @@ static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */ + if (str == NULL) { + return SUCCESS; + } +- sktmp = CONF_get_section(req->req_config, str); ++ sktmp = NCONF_get_section(req->req_config, str); + if (sktmp == NULL) { + php_openssl_store_errors(); + php_error_docref(NULL, E_WARNING, "Problem loading oid section %s", str); +@@ -915,13 +922,13 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option + + SET_OPTIONAL_STRING_ARG("config", req->config_filename, default_ssl_conf_filename); + SET_OPTIONAL_STRING_ARG("config_section_name", req->section_name, "req"); +- req->global_config = CONF_load(NULL, default_ssl_conf_filename, NULL); +- if (req->global_config == NULL) { ++ req->global_config = NCONF_new(NULL); ++ if (!NCONF_load(req->global_config, default_ssl_conf_filename, NULL)) { + php_openssl_store_errors(); + } +- req->req_config = CONF_load(NULL, req->config_filename, NULL); +- if (req->req_config == NULL) { +- php_openssl_store_errors(); ++ ++ req->req_config = NCONF_new(NULL); ++ if (!NCONF_load(req->req_config, req->config_filename, NULL)) { + return FAILURE; + } + +@@ -945,8 +952,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option + SET_OPTIONAL_STRING_ARG("req_extensions", req->request_extensions_section, + php_openssl_conf_get_string(req->req_config, req->section_name, "req_extensions")); + SET_OPTIONAL_LONG_ARG("private_key_bits", req->priv_key_bits, +- CONF_get_number(req->req_config, req->section_name, "default_bits")); +- ++ php_openssl_conf_get_number(req->req_config, req->section_name, "default_bits")); + SET_OPTIONAL_LONG_ARG("private_key_type", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT); + + if (optional_args && (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key")-1)) != NULL) { +@@ -1026,11 +1032,11 @@ static void php_openssl_dispose_config(struct php_x509_request * req) /* {{{ */ + req->priv_key = NULL; + } + if (req->global_config) { +- CONF_free(req->global_config); ++ NCONF_free(req->global_config); + req->global_config = NULL; + } + if (req->req_config) { +- CONF_free(req->req_config); ++ NCONF_free(req->req_config); + req->req_config = NULL; + } + } +@@ -2947,12 +2953,12 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z + STACK_OF(CONF_VALUE) * dn_sk, *attr_sk = NULL; + char * str, *dn_sect, *attr_sect; + +- dn_sect = CONF_get_string(req->req_config, req->section_name, "distinguished_name"); ++ dn_sect = NCONF_get_string(req->req_config, req->section_name, "distinguished_name"); + if (dn_sect == NULL) { + php_openssl_store_errors(); + return FAILURE; + } +- dn_sk = CONF_get_section(req->req_config, dn_sect); ++ dn_sk = NCONF_get_section(req->req_config, dn_sect); + if (dn_sk == NULL) { + php_openssl_store_errors(); + return FAILURE; +@@ -2961,7 +2967,7 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z + if (attr_sect == NULL) { + attr_sk = NULL; + } else { +- attr_sk = CONF_get_section(req->req_config, attr_sect); ++ attr_sk = NCONF_get_section(req->req_config, attr_sect); + if (attr_sk == NULL) { + php_openssl_store_errors(); + return FAILURE; +@@ -3376,8 +3382,8 @@ PHP_FUNCTION(openssl_csr_sign) + X509V3_CTX ctx; + + X509V3_set_ctx(&ctx, cert, new_cert, csr, NULL, 0); +- X509V3_set_conf_lhash(&ctx, req.req_config); +- if (!X509V3_EXT_add_conf(req.req_config, &ctx, req.extensions_section, new_cert)) { ++ X509V3_set_nconf(&ctx, req.req_config); ++ if (!X509V3_EXT_add_nconf(req.req_config, &ctx, req.extensions_section, new_cert)) { + php_openssl_store_errors(); + goto cleanup; + } +@@ -3450,10 +3456,10 @@ PHP_FUNCTION(openssl_csr_new) + X509V3_CTX ext_ctx; + + X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, 0); +- X509V3_set_conf_lhash(&ext_ctx, req.req_config); ++ X509V3_set_nconf(&ext_ctx, req.req_config); + + /* Add extensions */ +- if (req.request_extensions_section && !X509V3_EXT_REQ_add_conf(req.req_config, ++ if (req.request_extensions_section && !X509V3_EXT_REQ_add_nconf(req.req_config, + &ext_ctx, req.request_extensions_section, csr)) + { + php_openssl_store_errors(); +-- +2.35.3 + +From d6b6224ea0fcfd7ae358afa3a768878fb8fb9ccd Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka +Date: Sun, 8 Aug 2021 20:54:46 +0100 +Subject: [PATCH 27/39] Make CertificateGenerator not dependent on external + config in OpenSSL 3.0 + +(cherry picked from commit c90c9c7545427d9d35cbac45c4ec896f54619744) +--- + ext/openssl/tests/CertificateGenerator.inc | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/ext/openssl/tests/CertificateGenerator.inc b/ext/openssl/tests/CertificateGenerator.inc +index 1dc378e706..4783353a47 100644 +--- a/ext/openssl/tests/CertificateGenerator.inc ++++ b/ext/openssl/tests/CertificateGenerator.inc +@@ -65,7 +65,10 @@ class CertificateGenerator + ), + null, + $this->caKey, +- 2 ++ 2, ++ [ ++ 'config' => self::CONFIG, ++ ] + ); + } + +@@ -101,6 +104,7 @@ class CertificateGenerator + [ req ] + distinguished_name = req_distinguished_name + default_md = sha256 ++default_bits = 1024 + + [ req_distinguished_name ] + +@@ -124,8 +128,9 @@ CONFIG; + ]; + + $this->lastKey = self::generateKey($keyLength); ++ $csr = openssl_csr_new($dn, $this->lastKey, $config); + $this->lastCert = openssl_csr_sign( +- openssl_csr_new($dn, $this->lastKey, $config), ++ $csr, + $this->ca, + $this->caKey, + /* days */ 2, +@@ -139,7 +144,7 @@ CONFIG; + openssl_x509_export($this->lastCert, $certText); + + $keyText = ''; +- openssl_pkey_export($this->lastKey, $keyText); ++ openssl_pkey_export($this->lastKey, $keyText, null, $config); + + file_put_contents($file, $certText . PHP_EOL . $keyText); + } finally { +-- +2.35.3 + +From dd5c2fac14bd179d3014fdf21accd7b81a67024b Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Mon, 9 Aug 2021 10:26:12 +0200 +Subject: [PATCH 28/39] Extract EC key initialization + +(cherry picked from commit 14d7c7e9aee5ab55a92ddc626b7b81c130ea7618) +--- + ext/openssl/openssl.c | 239 ++++++++++++++++++++++-------------------- + 1 file changed, 126 insertions(+), 113 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 098b1163c6..bfa3191410 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4260,6 +4260,126 @@ cleanup: + #endif + } + ++#ifdef HAVE_EVP_PKEY_EC ++static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_private) { ++ EC_GROUP *group = NULL; ++ EC_POINT *pnt = NULL; ++ BIGNUM *d = NULL; ++ zval *bn; ++ zval *x; ++ zval *y; ++ ++ if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1)) != NULL && ++ Z_TYPE_P(bn) == IS_STRING) { ++ int nid = OBJ_sn2nid(Z_STRVAL_P(bn)); ++ if (nid != NID_undef) { ++ group = EC_GROUP_new_by_curve_name(nid); ++ if (!group) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); ++ EC_GROUP_set_point_conversion_form(group, POINT_CONVERSION_UNCOMPRESSED); ++ if (!EC_KEY_set_group(eckey, group)) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ } ++ } ++ ++ if (group == NULL) { ++ php_error_docref(NULL, E_WARNING, "Unknown curve name"); ++ goto clean_exit; ++ } ++ ++ // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y' ++ *is_private = false; ++ if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL && ++ Z_TYPE_P(bn) == IS_STRING) { ++ *is_private = true; ++ d = BN_bin2bn((unsigned char*) Z_STRVAL_P(bn), Z_STRLEN_P(bn), NULL); ++ if (!EC_KEY_set_private_key(eckey, d)) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ // Calculate the public key by multiplying the Point Q with the public key ++ // P = d * Q ++ pnt = EC_POINT_new(group); ++ if (!pnt || !EC_POINT_mul(group, pnt, d, NULL, NULL, NULL)) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ ++ BN_free(d); ++ } else if ((x = zend_hash_str_find(Z_ARRVAL_P(data), "x", sizeof("x") - 1)) != NULL && ++ Z_TYPE_P(x) == IS_STRING && ++ (y = zend_hash_str_find(Z_ARRVAL_P(data), "y", sizeof("y") - 1)) != NULL && ++ Z_TYPE_P(y) == IS_STRING) { ++ pnt = EC_POINT_new(group); ++ if (pnt == NULL) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ if (!EC_POINT_set_affine_coordinates_GFp( ++ group, pnt, BN_bin2bn((unsigned char*) Z_STRVAL_P(x), Z_STRLEN_P(x), NULL), ++ BN_bin2bn((unsigned char*) Z_STRVAL_P(y), Z_STRLEN_P(y), NULL), NULL)) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ } ++ ++ if (pnt != NULL) { ++ if (!EC_KEY_set_public_key(eckey, pnt)) { ++ php_openssl_store_errors(); ++ goto clean_exit; ++ } ++ EC_POINT_free(pnt); ++ pnt = NULL; ++ } ++ ++ if (!EC_KEY_check_key(eckey)) { ++ PHP_OPENSSL_RAND_ADD_TIME(); ++ EC_KEY_generate_key(eckey); ++ php_openssl_store_errors(); ++ } ++ if (EC_KEY_check_key(eckey)) { ++ return true; ++ } else { ++ php_openssl_store_errors(); ++ } ++ ++clean_exit: ++ BN_free(d); ++ EC_POINT_free(pnt); ++ EC_GROUP_free(group); ++ return false; ++} ++ ++static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { ++ EVP_PKEY *pkey = EVP_PKEY_new(); ++ if (!pkey) { ++ php_openssl_store_errors(); ++ return NULL; ++ } ++ ++ EC_KEY *ec = EC_KEY_new(); ++ if (!ec) { ++ EVP_PKEY_free(pkey); ++ return NULL; ++ } ++ ++ if (!php_openssl_pkey_init_legacy_ec(ec, data, is_private) ++ || !EVP_PKEY_assign_EC_KEY(pkey, ec)) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(pkey); ++ EC_KEY_free(ec); ++ return NULL; ++ } ++ ++ return pkey; ++} ++#endif ++ + /* {{{ Generates a new private key */ + PHP_FUNCTION(openssl_pkey_new) + { +@@ -4315,120 +4435,13 @@ PHP_FUNCTION(openssl_pkey_new) + #ifdef HAVE_EVP_PKEY_EC + } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "ec", sizeof("ec") - 1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { +- EC_KEY *eckey = NULL; +- EC_GROUP *group = NULL; +- EC_POINT *pnt = NULL; +- BIGNUM *d = NULL; +- pkey = EVP_PKEY_new(); +- if (pkey) { +- eckey = EC_KEY_new(); +- if (eckey) { +- bool is_private = false; +- EC_GROUP *group = NULL; +- zval *bn; +- zval *x; +- zval *y; +- +- if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1)) != NULL && +- Z_TYPE_P(bn) == IS_STRING) { +- int nid = OBJ_sn2nid(Z_STRVAL_P(bn)); +- if (nid != NID_undef) { +- group = EC_GROUP_new_by_curve_name(nid); +- if (!group) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); +- EC_GROUP_set_point_conversion_form(group, POINT_CONVERSION_UNCOMPRESSED); +- if (!EC_KEY_set_group(eckey, group)) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- } +- } +- +- if (group == NULL) { +- php_error_docref(NULL, E_WARNING, "Unknown curve name"); +- goto clean_exit; +- } +- +- // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y' +- if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL && +- Z_TYPE_P(bn) == IS_STRING) { +- is_private = true; +- d = BN_bin2bn((unsigned char*) Z_STRVAL_P(bn), Z_STRLEN_P(bn), NULL); +- if (!EC_KEY_set_private_key(eckey, d)) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- // Calculate the public key by multiplying the Point Q with the public key +- // P = d * Q +- pnt = EC_POINT_new(group); +- if (!pnt || !EC_POINT_mul(group, pnt, d, NULL, NULL, NULL)) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- +- BN_free(d); +- } else if ((x = zend_hash_str_find(Z_ARRVAL_P(data), "x", sizeof("x") - 1)) != NULL && +- Z_TYPE_P(x) == IS_STRING && +- (y = zend_hash_str_find(Z_ARRVAL_P(data), "y", sizeof("y") - 1)) != NULL && +- Z_TYPE_P(y) == IS_STRING) { +- pnt = EC_POINT_new(group); +- if (pnt == NULL) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- if (!EC_POINT_set_affine_coordinates_GFp( +- group, pnt, BN_bin2bn((unsigned char*) Z_STRVAL_P(x), Z_STRLEN_P(x), NULL), +- BN_bin2bn((unsigned char*) Z_STRVAL_P(y), Z_STRLEN_P(y), NULL), NULL)) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- } +- +- if (pnt != NULL) { +- if (!EC_KEY_set_public_key(eckey, pnt)) { +- php_openssl_store_errors(); +- goto clean_exit; +- } +- EC_POINT_free(pnt); +- pnt = NULL; +- } +- +- if (!EC_KEY_check_key(eckey)) { +- PHP_OPENSSL_RAND_ADD_TIME(); +- EC_KEY_generate_key(eckey); +- php_openssl_store_errors(); +- } +- if (EC_KEY_check_key(eckey) && EVP_PKEY_assign_EC_KEY(pkey, eckey)) { +- EC_GROUP_free(group); +- php_openssl_pkey_object_init(return_value, pkey, is_private); +- return; +- } else { +- php_openssl_store_errors(); +- } +- } else { +- php_openssl_store_errors(); +- } +- } else { +- php_openssl_store_errors(); +- } +-clean_exit: +- if (d != NULL) { +- BN_free(d); +- } +- if (pnt != NULL) { +- EC_POINT_free(pnt); +- } +- if (group != NULL) { +- EC_GROUP_free(group); +- } +- if (eckey != NULL) { +- EC_KEY_free(eckey); ++ bool is_private; ++ pkey = php_openssl_pkey_init_ec(data, &is_private); ++ if (!pkey) { ++ RETURN_FALSE; + } +- EVP_PKEY_free(pkey); +- RETURN_FALSE; ++ php_openssl_pkey_object_init(return_value, pkey, is_private); ++ return; + #endif + } + } +-- +2.35.3 + +From 14ec063fb3aefafe98cd0853b07a5ccf8d247fc7 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Mon, 9 Aug 2021 12:01:35 +0200 +Subject: [PATCH 29/39] Test calculation of EC public key from private key + +(cherry picked from commit 246698671f941b2034518ab04f35009b2da77bb1) +--- + ext/openssl/tests/ecc.phpt | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/ext/openssl/tests/ecc.phpt b/ext/openssl/tests/ecc.phpt +index 0a71393ae3..0b05410c2c 100644 +--- a/ext/openssl/tests/ecc.phpt ++++ b/ext/openssl/tests/ecc.phpt +@@ -33,6 +33,16 @@ $d2 = openssl_pkey_get_details($key2); + // Compare array + var_dump($d1 === $d2); + ++// Check that the public key info is computed from the private key if it is missing. ++$d1_priv = $d1; ++unset($d1_priv["ec"]["x"]); ++unset($d1_priv["ec"]["y"]); ++ ++$key3 = openssl_pkey_new($d1_priv); ++var_dump($key3); ++$d3 = openssl_pkey_get_details($key3); ++var_dump($d1 === $d3); ++ + $dn = array( + "countryName" => "BR", + "stateOrProvinceName" => "Rio Grande do Sul", +@@ -93,6 +103,9 @@ bool(true) + object(OpenSSLAsymmetricKey)#%d (0) { + } + bool(true) ++object(OpenSSLAsymmetricKey)#%d (0) { ++} ++bool(true) + Testing openssl_csr_new with key generation + NULL + object(OpenSSLAsymmetricKey)#%d (0) { +-- +2.35.3 + +From ffe0c9df1f478d34ec98e5bb02c2b0efb2443edb Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Mon, 9 Aug 2021 11:12:20 +0200 +Subject: [PATCH 30/39] Use param API for creating EC keys + +Rather than the deprecated low level APIs. + +(cherry picked from commit f9e701cde813fad4e1f647e63750c0b9bdeadb4e) +--- + ext/openssl/openssl.c | 96 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 96 insertions(+) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index bfa3191410..45f2a30392 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4261,6 +4261,7 @@ cleanup: + } + + #ifdef HAVE_EVP_PKEY_EC ++#if PHP_OPENSSL_API_VERSION < 0x30000 + static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_private) { + EC_GROUP *group = NULL; + EC_POINT *pnt = NULL; +@@ -4338,6 +4339,7 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_ + } + + if (!EC_KEY_check_key(eckey)) { ++ *is_private = true; + PHP_OPENSSL_RAND_ADD_TIME(); + EC_KEY_generate_key(eckey); + php_openssl_store_errors(); +@@ -4354,8 +4356,101 @@ clean_exit: + EC_GROUP_free(group); + return false; + } ++#endif + + static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ BIGNUM *d = NULL, *x = NULL, *y = NULL; ++ EC_GROUP *group = NULL; ++ EC_POINT *pnt = NULL; ++ char *pnt_oct = NULL; ++ EVP_PKEY *param_key = NULL, *pkey = NULL; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); ++ OSSL_PARAM *params = NULL; ++ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); ++ zval *curve_name_zv = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1); ++ ++ OPENSSL_PKEY_SET_BN(data, d); ++ OPENSSL_PKEY_SET_BN(data, x); ++ OPENSSL_PKEY_SET_BN(data, y); ++ ++ if (!ctx || !bld || !curve_name_zv || Z_TYPE_P(curve_name_zv) != IS_STRING) { ++ goto cleanup; ++ } ++ ++ int nid = OBJ_sn2nid(Z_STRVAL_P(curve_name_zv)); ++ group = EC_GROUP_new_by_curve_name(nid); ++ if (!group) { ++ php_error_docref(NULL, E_WARNING, "Unknown curve name"); ++ goto cleanup; ++ } ++ ++ OSSL_PARAM_BLD_push_utf8_string( ++ bld, OSSL_PKEY_PARAM_GROUP_NAME, Z_STRVAL_P(curve_name_zv), Z_STRLEN_P(curve_name_zv)); ++ ++ if (d) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, d); ++ ++ pnt = EC_POINT_new(group); ++ if (!pnt || !EC_POINT_mul(group, pnt, d, NULL, NULL, NULL)) { ++ goto cleanup; ++ } ++ } else if (x && y) { ++ /* OpenSSL does not allow setting EC_PUB_X/EC_PUB_Y, so convert to encoded format. */ ++ pnt = EC_POINT_new(group); ++ if (!pnt || !EC_POINT_set_affine_coordinates(group, pnt, x, y, NULL)) { ++ goto cleanup; ++ } ++ } ++ ++ if (pnt) { ++ size_t pnt_oct_len = ++ EC_POINT_point2buf(group, pnt, POINT_CONVERSION_COMPRESSED, &pnt_oct, NULL); ++ if (!pnt_oct_len) { ++ goto cleanup; ++ } ++ ++ OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, pnt_oct, pnt_oct_len); ++ } ++ ++ params = OSSL_PARAM_BLD_to_param(bld); ++ if (!params) { ++ goto cleanup; ++ } ++ ++ if (EVP_PKEY_fromdata_init(ctx) <= 0 || ++ EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) { ++ goto cleanup; ++ } ++ ++ EVP_PKEY_CTX_free(ctx); ++ ctx = EVP_PKEY_CTX_new(param_key, NULL); ++ if (EVP_PKEY_check(ctx)) { ++ *is_private = d != NULL; ++ EVP_PKEY_up_ref(param_key); ++ pkey = param_key; ++ } else { ++ *is_private = true; ++ PHP_OPENSSL_RAND_ADD_TIME(); ++ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) { ++ goto cleanup; ++ } ++ } ++ ++cleanup: ++ php_openssl_store_errors(); ++ EVP_PKEY_free(param_key); ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(bld); ++ EC_POINT_free(pnt); ++ EC_GROUP_free(group); ++ OPENSSL_free(pnt_oct); ++ BN_free(d); ++ BN_free(x); ++ BN_free(y); ++ return pkey; ++#else + EVP_PKEY *pkey = EVP_PKEY_new(); + if (!pkey) { + php_openssl_store_errors(); +@@ -4377,6 +4472,7 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { + } + + return pkey; ++#endif + } + #endif + +-- +2.35.3 + +From 862016897008903be67970101a25c244bc9b3b2f Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Mon, 9 Aug 2021 14:19:33 +0200 +Subject: [PATCH 31/39] Extract public key portion via PEM roundtrip + +The workaround with cloning the X509_REQ no longer works in +OpenSSL 3. Instead extract the public key portion by round +tripping through PEM. + +(cherry picked from commit 26a51e8d7a6026f6bd69813d044785d154a296a3) +--- + ext/openssl/openssl.c | 43 +++++++++++++++++++------------------------ + 1 file changed, 19 insertions(+), 24 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 45f2a30392..ebc862eda2 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3531,49 +3531,44 @@ PHP_FUNCTION(openssl_csr_get_subject) + } + /* }}} */ + ++static EVP_PKEY *php_openssl_extract_public_key(EVP_PKEY *priv_key) ++{ ++ /* Extract public key portion by round-tripping through PEM. */ ++ BIO *bio = BIO_new(BIO_s_mem()); ++ if (!bio || !PEM_write_bio_PUBKEY(bio, priv_key)) { ++ BIO_free(bio); ++ return NULL; ++ } ++ ++ EVP_PKEY *pub_key = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL); ++ BIO_free(bio); ++ return pub_key; ++} ++ + /* {{{ Returns the subject of a CERT or FALSE on error */ + PHP_FUNCTION(openssl_csr_get_public_key) + { +- X509_REQ *orig_csr, *csr; + zend_object *csr_obj; + zend_string *csr_str; + zend_bool use_shortnames = 1; + +- EVP_PKEY *tpubkey; +- + ZEND_PARSE_PARAMETERS_START(1, 2) + Z_PARAM_OBJ_OF_CLASS_OR_STR(csr_obj, php_openssl_request_ce, csr_str) + Z_PARAM_OPTIONAL + Z_PARAM_BOOL(use_shortnames) + ZEND_PARSE_PARAMETERS_END(); + +- orig_csr = php_openssl_csr_from_param(csr_obj, csr_str, 1); +- if (orig_csr == NULL) { ++ X509_REQ *csr = php_openssl_csr_from_param(csr_obj, csr_str, 1); ++ if (csr == NULL) { + RETURN_FALSE; + } + +-#if PHP_OPENSSL_API_VERSION >= 0x10100 +- /* Due to changes in OpenSSL 1.1 related to locking when decoding CSR, +- * the pub key is not changed after assigning. It means if we pass +- * a private key, it will be returned including the private part. +- * If we duplicate it, then we get just the public part which is +- * the same behavior as for OpenSSL 1.0 */ +- csr = X509_REQ_dup(orig_csr); +-#else +- csr = orig_csr; +-#endif +- + /* Retrieve the public key from the CSR */ +- tpubkey = X509_REQ_get_pubkey(csr); +- +- if (csr != orig_csr) { +- /* We need to free the duplicated CSR */ +- X509_REQ_free(csr); +- } ++ EVP_PKEY *tpubkey = php_openssl_extract_public_key(X509_REQ_get_pubkey(csr)); + + if (csr_str) { +- /* We also need to free the original CSR if it was freshly created */ +- X509_REQ_free(orig_csr); ++ /* We need to free the original CSR if it was freshly created */ ++ X509_REQ_free(csr); + } + + if (tpubkey == NULL) { +-- +2.35.3 + +From f80074791359e1f6d06803ae7abf0bfaba2208af Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Fri, 6 Aug 2021 12:08:07 +0200 +Subject: [PATCH 32/39] Use param API for openssl_pkey_get_details() + +Now that the DSA/DH/EC keys are not created using the legacy API, +we can fetch the details using the param API as well, and not +run into buggy priv_key handling. + +(cherry picked from commit 6db2c2dbe7a02055e2798e503ccde4b151b7cabf) +--- + ext/openssl/openssl.c | 123 ++++++++++++++++++++++++++++++++++++------ + 1 file changed, 106 insertions(+), 17 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index ebc862eda2..c92524b08e 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3890,17 +3890,17 @@ cleanup: + } + /* }}} */ + +-#define OPENSSL_GET_BN(_array, _bn, _name) do { \ +- if (_bn != NULL) { \ +- int len = BN_num_bytes(_bn); \ +- zend_string *str = zend_string_alloc(len, 0); \ +- BN_bn2bin(_bn, (unsigned char*)ZSTR_VAL(str)); \ +- ZSTR_VAL(str)[len] = 0; \ +- add_assoc_str(&_array, #_name, str); \ +- } \ +- } while (0); ++static void php_openssl_add_bn_to_array(zval *ary, const BIGNUM *bn, const char *name) { ++ if (bn != NULL) { ++ int len = BN_num_bytes(bn); ++ zend_string *str = zend_string_alloc(len, 0); ++ BN_bn2bin(bn, (unsigned char *)ZSTR_VAL(str)); ++ ZSTR_VAL(str)[len] = 0; ++ add_assoc_str(ary, name, str); ++ } ++} + +-#define OPENSSL_PKEY_GET_BN(_type, _name) OPENSSL_GET_BN(_type, _name, _name) ++#define OPENSSL_PKEY_GET_BN(_type, _name) php_openssl_add_bn_to_array(&_type, _name, #_name) + + #define OPENSSL_PKEY_SET_BN(_data, _name) do { \ + zval *bn; \ +@@ -4741,12 +4741,34 @@ PHP_FUNCTION(openssl_pkey_get_private) + + /* }}} */ + ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++static void php_openssl_copy_bn_param( ++ zval *ary, EVP_PKEY *pkey, const char *param, const char *name) { ++ BIGNUM *bn = NULL; ++ if (EVP_PKEY_get_bn_param(pkey, param, &bn) > 0) { ++ php_openssl_add_bn_to_array(ary, bn, name); ++ BN_free(bn); ++ } ++} ++ ++static zend_string *php_openssl_get_utf8_param( ++ EVP_PKEY *pkey, const char *param, const char *name) { ++ char buf[64]; ++ size_t len; ++ if (EVP_PKEY_get_utf8_string_param(pkey, param, buf, sizeof(buf), &len) > 0) { ++ zend_string *str = zend_string_alloc(len, 0); ++ memcpy(ZSTR_VAL(str), buf, len); ++ ZSTR_VAL(str)[len] = '\0'; ++ return str; ++ } ++ return NULL; ++} ++#endif ++ + /* {{{ returns an array with the key details (bits, pkey, type)*/ + PHP_FUNCTION(openssl_pkey_get_details) + { + zval *key; +- EVP_PKEY *pkey; +- BIO *out; + unsigned int pbio_len; + char *pbio; + zend_long ktype; +@@ -4755,9 +4777,9 @@ PHP_FUNCTION(openssl_pkey_get_details) + RETURN_THROWS(); + } + +- pkey = Z_OPENSSL_PKEY_P(key)->pkey; ++ EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey; + +- out = BIO_new(BIO_s_mem()); ++ BIO *out = BIO_new(BIO_s_mem()); + if (!PEM_write_bio_PUBKEY(out, pkey)) { + BIO_free(out); + php_openssl_store_errors(); +@@ -4771,6 +4793,72 @@ PHP_FUNCTION(openssl_pkey_get_details) + /*TODO: Use the real values once the openssl constants are used + * See the enum at the top of this file + */ ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ zval ary; ++ switch (EVP_PKEY_base_id(pkey)) { ++ case EVP_PKEY_RSA: ++ ktype = OPENSSL_KEYTYPE_RSA; ++ array_init(&ary); ++ add_assoc_zval(return_value, "rsa", &ary); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_N, "n"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_E, "e"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_D, "d"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, "p"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, "q"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, "dmp1"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, "dmq1"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, "iqmp"); ++ break; ++ case EVP_PKEY_DSA: ++ ktype = OPENSSL_KEYTYPE_DSA; ++ array_init(&ary); ++ add_assoc_zval(return_value, "dsa", &ary); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_P, "p"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_Q, "q"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_G, "g"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "priv_key"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PUB_KEY, "pub_key"); ++ break; ++ case EVP_PKEY_DH: ++ ktype = OPENSSL_KEYTYPE_DH; ++ array_init(&ary); ++ add_assoc_zval(return_value, "dh", &ary); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_P, "p"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_G, "g"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "priv_key"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PUB_KEY, "pub_key"); ++ break; ++ case EVP_PKEY_EC: { ++ ktype = OPENSSL_KEYTYPE_EC; ++ array_init(&ary); ++ add_assoc_zval(return_value, "ec", &ary); ++ ++ zend_string *curve_name = php_openssl_get_utf8_param( ++ pkey, OSSL_PKEY_PARAM_GROUP_NAME, "curve_name"); ++ if (curve_name) { ++ add_assoc_str(&ary, "curve_name", curve_name); ++ ++ int nid = OBJ_sn2nid(ZSTR_VAL(curve_name)); ++ if (nid != NID_undef) { ++ ASN1_OBJECT *obj = OBJ_nid2obj(nid); ++ if (obj) { ++ // OpenSSL recommends a buffer length of 80. ++ char oir_buf[80]; ++ int oir_len = OBJ_obj2txt(oir_buf, sizeof(oir_buf), obj, 1); ++ add_assoc_stringl(&ary, "curve_oid", oir_buf, oir_len); ++ ASN1_OBJECT_free(obj); ++ } ++ } ++ } ++ ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_EC_PUB_X, "x"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_EC_PUB_Y, "y"); ++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "d"); ++ break; ++ } ++ EMPTY_SWITCH_DEFAULT_CASE(); ++ } ++#else + switch (EVP_PKEY_base_id(pkey)) { + case EVP_PKEY_RSA: + case EVP_PKEY_RSA2: +@@ -4887,14 +4975,14 @@ PHP_FUNCTION(openssl_pkey_get_details) + pub = EC_KEY_get0_public_key(ec_key); + + if (EC_POINT_get_affine_coordinates_GFp(ec_group, pub, x, y, NULL)) { +- OPENSSL_GET_BN(ec, x, x); +- OPENSSL_GET_BN(ec, y, y); ++ php_openssl_add_bn_to_array(&ec, x, "x"); ++ php_openssl_add_bn_to_array(&ec, y, "y"); + } else { + php_openssl_store_errors(); + } + + if ((d = EC_KEY_get0_private_key(EVP_PKEY_get0_EC_KEY(pkey))) != NULL) { +- OPENSSL_GET_BN(ec, d, d); ++ php_openssl_add_bn_to_array(&ec, d, "d"); + } + + add_assoc_zval(return_value, "ec", &ec); +@@ -4908,6 +4996,7 @@ PHP_FUNCTION(openssl_pkey_get_details) + ktype = -1; + break; + } ++#endif + add_assoc_long(return_value, "type", ktype); + + BIO_free(out); +-- +2.35.3 + +From 657a28022fbcd7c22137f00c3688b4e5a19a1457 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Mon, 9 Aug 2021 14:34:12 +0200 +Subject: [PATCH 33/39] Add missing unsigned qualifier + +This previously got lost in the deprecation warning noise. + +(cherry picked from commit ff2a39e6fcbd9a3bd7f411168b19711a4be9a2a4) +--- + ext/openssl/openssl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index c92524b08e..36f69bf248 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4358,7 +4358,7 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { + BIGNUM *d = NULL, *x = NULL, *y = NULL; + EC_GROUP *group = NULL; + EC_POINT *pnt = NULL; +- char *pnt_oct = NULL; ++ unsigned char *pnt_oct = NULL; + EVP_PKEY *param_key = NULL, *pkey = NULL; + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); + OSSL_PARAM *params = NULL; +-- +2.35.3 + +From b4573ad1283bb4405b4826d248d272eaca2d9ee8 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Mon, 9 Aug 2021 14:47:43 +0200 +Subject: [PATCH 34/39] Use param API to create RSA key + +Instead of deprecated low-level API. + +A caveat here is that when using the high-level API, OpenSSL 3 +requires that if the prime factors are set, the CRT parameters +are also set. See https://github.com/openssl/openssl/issues/16271. + +As such, add CRT parameters to the manual construction test. + +This fixes the last deprecation warnings in openssl.c, but there +are more elsewhere. + +(cherry picked from commit 3724b49aa953fadc365c27e64fba2266d7f6d16b) +--- + ext/openssl/openssl.c | 121 +++++++++++++++--- + ext/openssl/tests/openssl_pkey_new_basic.phpt | 16 +++ + 2 files changed, 116 insertions(+), 21 deletions(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index 36f69bf248..e545c00731 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3914,8 +3914,8 @@ static void php_openssl_add_bn_to_array(zval *ary, const BIGNUM *bn, const char + } \ + } while (0); + +-/* {{{ php_openssl_pkey_init_rsa */ +-static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, zval *data) ++#if PHP_OPENSSL_API_VERSION < 0x30000 ++static zend_bool php_openssl_pkey_init_legacy_rsa(RSA *rsa, zval *data) + { + BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; + +@@ -3939,12 +3939,102 @@ static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, + return 0; + } + +- if (!EVP_PKEY_assign_RSA(pkey, rsa)) { ++ return 1; ++} ++#endif ++ ++static EVP_PKEY *php_openssl_pkey_init_rsa(zval *data) ++{ ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL; ++ BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; ++ EVP_PKEY *pkey = NULL; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); ++ OSSL_PARAM *params = NULL; ++ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); ++ ++ OPENSSL_PKEY_SET_BN(data, n); ++ OPENSSL_PKEY_SET_BN(data, e); ++ OPENSSL_PKEY_SET_BN(data, d); ++ OPENSSL_PKEY_SET_BN(data, p); ++ OPENSSL_PKEY_SET_BN(data, q); ++ OPENSSL_PKEY_SET_BN(data, dmp1); ++ OPENSSL_PKEY_SET_BN(data, dmq1); ++ OPENSSL_PKEY_SET_BN(data, iqmp); ++ ++ if (!ctx || !bld || !n || !d) { ++ goto cleanup; ++ } ++ ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n); ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d); ++ if (e) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e); ++ } ++ if (p) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR1, p); ++ } ++ if (q) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR2, q); ++ } ++ if (dmp1) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1); ++ } ++ if (dmq1) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1); ++ } ++ if (iqmp) { ++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp); ++ } ++ ++ params = OSSL_PARAM_BLD_to_param(bld); ++ if (!params) { ++ goto cleanup; ++ } ++ ++ if (EVP_PKEY_fromdata_init(ctx) <= 0 || ++ EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) { ++ goto cleanup; ++ } ++ ++cleanup: ++ php_openssl_store_errors(); ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(bld); ++ BN_free(n); ++ BN_free(e); ++ BN_free(d); ++ BN_free(p); ++ BN_free(q); ++ BN_free(dmp1); ++ BN_free(dmq1); ++ BN_free(iqmp); ++ return pkey; ++#else ++ EVP_PKEY *pkey = EVP_PKEY_new(); ++ if (!pkey) { + php_openssl_store_errors(); +- return 0; ++ return NULL; + } + +- return 1; ++ RSA *rsa = RSA_new(); ++ if (!rsa) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(pkey); ++ return NULL; ++ } ++ ++ if (!php_openssl_pkey_init_legacy_rsa(rsa, data) ++ || !EVP_PKEY_assign_RSA(pkey, rsa)) { ++ php_openssl_store_errors(); ++ EVP_PKEY_free(pkey); ++ RSA_free(rsa); ++ return NULL; ++ } ++ ++ return pkey; ++#endif + } + + #if PHP_OPENSSL_API_VERSION < 0x30000 +@@ -4488,23 +4578,12 @@ PHP_FUNCTION(openssl_pkey_new) + + if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "rsa", sizeof("rsa")-1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { +- pkey = EVP_PKEY_new(); +- if (pkey) { +- RSA *rsa = RSA_new(); +- if (rsa) { +- if (php_openssl_pkey_init_and_assign_rsa(pkey, rsa, data)) { +- php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true); +- return; +- } +- RSA_free(rsa); +- } else { +- php_openssl_store_errors(); +- } +- EVP_PKEY_free(pkey); +- } else { +- php_openssl_store_errors(); ++ pkey = php_openssl_pkey_init_rsa(data); ++ if (!pkey) { ++ RETURN_FALSE; + } +- RETURN_FALSE; ++ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true); ++ return; + } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dsa", sizeof("dsa") - 1)) != NULL && + Z_TYPE_P(data) == IS_ARRAY) { + bool is_private; +diff --git a/ext/openssl/tests/openssl_pkey_new_basic.phpt b/ext/openssl/tests/openssl_pkey_new_basic.phpt +index b2c37f6a87..08c9660f22 100644 +--- a/ext/openssl/tests/openssl_pkey_new_basic.phpt ++++ b/ext/openssl/tests/openssl_pkey_new_basic.phpt +@@ -26,6 +26,11 @@ $phex = "EECFAE81B1B9B3C908810B10A1B5600199EB9F44AEF4FDA493B81A9E3D84F632" . + $qhex = "C97FB1F027F453F6341233EAAAD1D9353F6C42D08866B1D05A0F2035028B9D86" . + "9840B41666B42E92EA0DA3B43204B5CFCE3352524D0416A5A441E700AF461503"; + ++$dphex = "11"; ++$dqhex = "11"; ++$qinvhex = "b06c4fdabb6301198d265bdbae9423b380f271f73453885093077fcd39e2119f" . ++ "c98632154f5883b167a967bf402b4e9e2e0f9656e698ea3666edfb25798039f7"; ++ + $rsa= openssl_pkey_new(array( + 'rsa' => array( + 'n' => hex2bin($nhex), +@@ -33,6 +38,9 @@ $rsa= openssl_pkey_new(array( + 'd' => hex2bin($dhex), + 'p' => hex2bin($phex), + 'q' => hex2bin($qhex), ++ 'dmp1' => hex2bin($dphex), ++ 'dmq1' => hex2bin($dqhex), ++ 'iqmp' => hex2bin($qinvhex), + ) + )); + $details = openssl_pkey_get_details($rsa); +@@ -42,6 +50,10 @@ openssl_pkey_test_cmp($ehex, $rsa_details['e']); + openssl_pkey_test_cmp($dhex, $rsa_details['d']); + openssl_pkey_test_cmp($phex, $rsa_details['p']); + openssl_pkey_test_cmp($qhex, $rsa_details['q']); ++openssl_pkey_test_cmp($dphex, $rsa_details['dmp1']); ++openssl_pkey_test_cmp($dqhex, $rsa_details['dmq1']); ++openssl_pkey_test_cmp($qinvhex, $rsa_details['iqmp']); ++echo "\n"; + + // DSA + $phex = '00f8000ae45b2dacb47dd977d58b719d097bdf07cb2c17660ad898518c08' . +@@ -95,6 +107,10 @@ int(0) + int(0) + int(0) + int(0) ++int(0) ++int(0) ++int(0) ++ + int(0) + int(0) + int(0) +-- +2.35.3 + +From df158325e29bda202b654d1257a8f86782d7a2d2 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Tue, 10 Aug 2021 11:50:18 +0200 +Subject: [PATCH 35/39] Fork openssl_error_string() test for OpenSSL + +The used error code differ signficantly, so use a separate test +file. + +openssl_encrypt() no longer throws an error for invalid key length, +which looks like an upstream bug. + +(cherry picked from commit e5f53e1ca13bfe8abd0f6037c98b59d2dac5744f) +--- + .../tests/openssl_error_string_basic.phpt | 7 +- + .../openssl_error_string_basic_openssl3.phpt | 183 ++++++++++++++++++ + 2 files changed, 188 insertions(+), 2 deletions(-) + create mode 100644 ext/openssl/tests/openssl_error_string_basic_openssl3.phpt + +diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt +index f3eb82067b..aee84b3fab 100644 +--- a/ext/openssl/tests/openssl_error_string_basic.phpt ++++ b/ext/openssl/tests/openssl_error_string_basic.phpt +@@ -1,7 +1,10 @@ + --TEST-- +-openssl_error_string() tests ++openssl_error_string() tests (OpenSSL < 3.0) + --SKIPIF-- +- ++= 0x30000000) die('skip For OpenSSL < 3.0'); ++?> + --FILE-- + = 3.0) ++--EXTENSIONS-- ++openssl ++--SKIPIF-- ++= 3.0'); ++?> ++--FILE-- ++ 0) { ++ $error_code = $m[1]; ++ if (isset($expected_errors[$error_code])) { ++ $expected_errors[$error_code] = true; ++ } ++ $all_errors[$error_code] = $error_string; ++ } else { ++ $all_errors[] = $error_string; ++ } ++ } ++ ++ $fail = false; ++ foreach ($expected_errors as $error_code => $error_code_found) { ++ if (!$error_code_found) { ++ $fail = true; ++ echo "$name: no error code $error_code\n"; ++ } ++ } ++ ++ if (!$fail) { ++ echo "$name: ok\n"; ++ } else { ++ echo "$name: uncaught errors\n"; ++ foreach ($all_errors as $code => $str) { ++ if (!isset($expected_errors[$code]) || !$expected_errors[$code]) { ++ echo "\t", $code, ": ", $str, "\n"; ++ } ++ } ++ } ++} ++ ++// helper for debugging errors ++function dump_openssl_errors($name) { ++ echo "\n$name\n"; ++ while (($error_string = openssl_error_string()) !== false) { ++ var_dump($error_string); ++ } ++} ++ ++// common output file ++$output_file = __DIR__ . "/openssl_error_string_basic_output.tmp"; ++// invalid file for read is something that does not exist in current directory ++$invalid_file_for_read = __DIR__ . "/invalid_file_for_read_operation.txt"; ++// invalid file for is the test dir as writing file to existing dir should always fail ++$invalid_file_for_write = __DIR__; ++// crt file ++$crt_file = "file://" . __DIR__ . "/cert.crt"; ++// csr file ++$csr_file = "file://" . __DIR__ . "/cert.csr"; ++// public key file ++$public_key_file = "file://" .__DIR__ . "/public.key"; ++// private key file ++$private_key_file = "file://" .__DIR__ . "/private_rsa_1024.key"; ++// private key file with password (password is 'php') ++$private_key_file_with_pass = "file://" .__DIR__ . "/private_rsa_2048_pass_php.key"; ++ ++// ENCRYPTION ++$data = "test"; ++$method = "AES-128-ECB"; ++$enc_key = str_repeat('x', 40); ++// error because password is longer then key length and ++// EVP_CIPHER_CTX_set_key_length fails for AES ++if (0) { ++// TODO: This no longer errors! ++openssl_encrypt($data, $method, $enc_key); ++$enc_error = openssl_error_string(); ++var_dump($enc_error); ++// make sure that error is cleared now ++var_dump(openssl_error_string()); ++// internally OpenSSL ERR won't save more than 15 (16 - 1) errors so lets test it ++for ($i = 0; $i < 20; $i++) { ++ openssl_encrypt($data, $method, $enc_key); ++} ++$error_queue_size = 0; ++while (($enc_error_new = openssl_error_string()) !== false) { ++ if ($enc_error_new !== $enc_error) { ++ echo "The new encoding error doesn't match the expected one\n"; ++ } ++ ++$error_queue_size; ++} ++var_dump($error_queue_size); ++echo "\n"; ++} ++ ++$err_pem_no_start_line = '0480006C'; ++ ++// PKEY ++echo "PKEY errors\n"; ++// file for pkey (file:///) fails when opennig (BIO_new_file) ++@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file); ++expect_openssl_errors('openssl_pkey_export_to_file opening', ['10000080']); ++// file or private pkey is not correct PEM - failing PEM_read_bio_PrivateKey ++@openssl_pkey_export_to_file($csr_file, $output_file); ++expect_openssl_errors('openssl_pkey_export_to_file pem', ['1E08010C']); ++// file to export cannot be written ++@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write); ++expect_openssl_errors('openssl_pkey_export_to_file write', ['10080002']); ++// successful export ++@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd'); ++expect_openssl_errors('openssl_pkey_export', ['1C800064', '04800065']); ++// invalid x509 for getting public key ++@openssl_pkey_get_public($private_key_file); ++expect_openssl_errors('openssl_pkey_get_public', [$err_pem_no_start_line]); ++// private encrypt with unknown padding ++@openssl_private_encrypt("data", $crypted, $private_key_file, 1000); ++expect_openssl_errors('openssl_private_encrypt', ['1C8000A5']); ++// private decrypt with failed padding check ++@openssl_private_decrypt("data", $crypted, $private_key_file); ++expect_openssl_errors('openssl_private_decrypt', ['0200009F', '02000072']); ++// public encrypt and decrypt with failed padding check and padding ++@openssl_public_encrypt("data", $crypted, $public_key_file, 1000); ++@openssl_public_decrypt("data", $crypted, $public_key_file); ++expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '02000076', '0200008A', '02000072', '1C880004']); ++ ++// X509 ++echo "X509 errors\n"; ++// file for x509 (file:///) fails when opennig (BIO_new_file) ++@openssl_x509_export_to_file("file://" . $invalid_file_for_read, $output_file); ++expect_openssl_errors('openssl_x509_export_to_file open', ['10000080']); ++// file or str cert is not correct PEM - failing PEM_read_bio_X509 or PEM_ASN1_read_bio ++@openssl_x509_export_to_file($csr_file, $output_file); ++expect_openssl_errors('openssl_x509_export_to_file pem', [$err_pem_no_start_line]); ++// file to export cannot be written ++@openssl_x509_export_to_file($crt_file, $invalid_file_for_write); ++expect_openssl_errors('openssl_x509_export_to_file write', ['10080002']); ++// checking purpose fails because there is no such purpose 1000 ++@openssl_x509_checkpurpose($crt_file, 1000); ++expect_openssl_errors('openssl_x509_checkpurpose purpose', ['05800079']); ++ ++// CSR ++echo "CSR errors\n"; ++// file for csr (file:///) fails when opennig (BIO_new_file) ++@openssl_csr_get_subject("file://" . $invalid_file_for_read); ++expect_openssl_errors('openssl_csr_get_subject open', ['10000080']); ++// file or str csr is not correct PEM - failing PEM_read_bio_X509_REQ ++@openssl_csr_get_subject($crt_file); ++expect_openssl_errors('openssl_csr_get_subjec pem', [$err_pem_no_start_line]); ++ ++// other possible causes that are difficult to catch: ++// - ASN1_STRING_to_UTF8 fails in add_assoc_name_entry ++// - invalid php_x509_request field (NULL) would cause error with CONF_get_string ++ ++?> ++--CLEAN-- ++ ++--EXPECT-- ++PKEY errors ++openssl_pkey_export_to_file opening: ok ++openssl_pkey_export_to_file pem: ok ++openssl_pkey_export_to_file write: ok ++openssl_pkey_export: ok ++openssl_pkey_get_public: ok ++openssl_private_encrypt: ok ++openssl_private_decrypt: ok ++openssl_private_(en|de)crypt padding: ok ++X509 errors ++openssl_x509_export_to_file open: ok ++openssl_x509_export_to_file pem: ok ++openssl_x509_export_to_file write: ok ++openssl_x509_checkpurpose purpose: ok ++CSR errors ++openssl_csr_get_subject open: ok ++openssl_csr_get_subjec pem: ok +-- +2.35.3 + +From 48fb287c50a87929a30da3e751e4c0f7a3f2d86f Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Tue, 10 Aug 2021 12:17:17 +0200 +Subject: [PATCH 36/39] Switch dh_param handling to EVP_PKEY API + +(cherry picked from commit ef787bae242fdd2e72625bbce6ab4ca466b1ef59) +--- + ext/openssl/xp_ssl.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c +index 206543ca82..b61234943e 100644 +--- a/ext/openssl/xp_ssl.c ++++ b/ext/openssl/xp_ssl.c +@@ -1197,11 +1197,7 @@ static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength) + + static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* {{{ */ + { +- DH *dh; +- BIO* bio; +- zval *zdhpath; +- +- zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param"); ++ zval *zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param"); + if (zdhpath == NULL) { + #if 0 + /* Coming in OpenSSL 1.1 ... eventually we'll want to enable this +@@ -1216,14 +1212,29 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* + return FAILURE; + } + +- bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY)); ++ BIO *bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY)); + + if (bio == NULL) { + php_error_docref(NULL, E_WARNING, "Invalid dh_param"); + return FAILURE; + } + +- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); ++#if PHP_OPENSSL_API_VERSION >= 0x30000 ++ EVP_PKEY *pkey = PEM_read_bio_Parameters(bio, NULL); ++ BIO_free(bio); ++ ++ if (pkey == NULL) { ++ php_error_docref(NULL, E_WARNING, "Failed reading DH params"); ++ return FAILURE; ++ } ++ ++ if (SSL_CTX_set0_tmp_dh_pkey(ctx, pkey) < 0) { ++ php_error_docref(NULL, E_WARNING, "Failed assigning DH params"); ++ EVP_PKEY_free(pkey); ++ return FAILURE; ++ } ++#else ++ DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + BIO_free(bio); + + if (dh == NULL) { +@@ -1238,6 +1249,7 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* + } + + DH_free(dh); ++#endif + + return SUCCESS; + } +-- +2.35.3 + +From 516b75ea853a88a8d690628e5283f551bce6664e Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Wed, 11 Aug 2021 10:11:12 +0200 +Subject: [PATCH 37/39] Fix openssl memory leaks + +Some leaks that snuck in during refactorings. + +(cherry picked from commit 7d2a2c7dc0447c81316d14f3a43a4b6a8ce0b982) +--- + ext/openssl/openssl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index e545c00731..c6445a1993 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -3564,7 +3564,9 @@ PHP_FUNCTION(openssl_csr_get_public_key) + } + + /* Retrieve the public key from the CSR */ +- EVP_PKEY *tpubkey = php_openssl_extract_public_key(X509_REQ_get_pubkey(csr)); ++ EVP_PKEY *orig_key = X509_REQ_get_pubkey(csr); ++ EVP_PKEY *tpubkey = php_openssl_extract_public_key(orig_key); ++ EVP_PKEY_free(orig_key); + + if (csr_str) { + /* We need to free the original CSR if it was freshly created */ +@@ -4430,6 +4432,7 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_ + php_openssl_store_errors(); + } + if (EC_KEY_check_key(eckey)) { ++ EC_GROUP_free(group); + return true; + } else { + php_openssl_store_errors(); +-- +2.35.3 + +From 63cd9d7c16f7b7fa847c2e5239285a7d07edd237 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Fri, 10 Sep 2021 11:28:20 +0200 +Subject: [PATCH 38/39] fix [-Wmaybe-uninitialized] build warnings + +(cherry picked from commit 6ee96f095ad947ffc820437b2e9e6449000e18a2) +--- + ext/openssl/openssl.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c +index c6445a1993..8e28575659 100644 +--- a/ext/openssl/openssl.c ++++ b/ext/openssl/openssl.c +@@ -4093,6 +4093,8 @@ static EVP_PKEY *php_openssl_pkey_init_dsa(zval *data, bool *is_private) + OPENSSL_PKEY_SET_BN(data, priv_key); + OPENSSL_PKEY_SET_BN(data, pub_key); + ++ *is_private = false; ++ + if (!ctx || !bld || !p || !q || !g) { + goto cleanup; + } +@@ -4264,6 +4266,8 @@ static EVP_PKEY *php_openssl_pkey_init_dh(zval *data, bool *is_private) + OPENSSL_PKEY_SET_BN(data, priv_key); + OPENSSL_PKEY_SET_BN(data, pub_key); + ++ *is_private = false; ++ + if (!ctx || !bld || !p || !g) { + goto cleanup; + } +@@ -4357,6 +4361,8 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_ + zval *x; + zval *y; + ++ *is_private = false; ++ + if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1)) != NULL && + Z_TYPE_P(bn) == IS_STRING) { + int nid = OBJ_sn2nid(Z_STRVAL_P(bn)); +@@ -4381,7 +4387,6 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_ + } + + // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y' +- *is_private = false; + if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL && + Z_TYPE_P(bn) == IS_STRING) { + *is_private = true; +@@ -4462,6 +4467,8 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) { + OPENSSL_PKEY_SET_BN(data, x); + OPENSSL_PKEY_SET_BN(data, y); + ++ *is_private = false; ++ + if (!ctx || !bld || !curve_name_zv || Z_TYPE_P(curve_name_zv) != IS_STRING) { + goto cleanup; + } +-- +2.35.3 + +From ae633599a3a1475e6b3508cd538c3d283fc2cabc Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka +Date: Sun, 12 Sep 2021 20:30:02 +0100 +Subject: [PATCH 39/39] Make OpenSSL tests less dependent on system config + +It fixes dependencies on system config if running tests with OpenSSL 3.0 + +(cherry picked from commit 43f0141d74c1db6e792f3b625ea7f4ae57ff338f) +--- + ext/openssl/tests/bug52093.phpt | 6 +++--- + ext/openssl/tests/bug72165.phpt | 5 +++-- + ext/openssl/tests/bug73711.phpt | 3 +++ + ext/openssl/tests/ecc.phpt | 3 +++ + .../tests/openssl_error_string_basic_openssl3.phpt | 9 +++++---- + 5 files changed, 17 insertions(+), 9 deletions(-) + +diff --git a/ext/openssl/tests/bug52093.phpt b/ext/openssl/tests/bug52093.phpt +index 63eaceb5ac..162945f914 100644 +--- a/ext/openssl/tests/bug52093.phpt ++++ b/ext/openssl/tests/bug52093.phpt +@@ -14,10 +14,10 @@ $dn = array( + "commonName" => "Henrique do N. Angelo", + "emailAddress" => "hnangelo@php.net" + ); +- ++$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf']; + $privkey = openssl_pkey_new(); +-$csr = openssl_csr_new($dn, $privkey); +-$cert = openssl_csr_sign($csr, null, $privkey, 365, [], PHP_INT_MAX); ++$csr = openssl_csr_new($dn, $privkey, $options); ++$cert = openssl_csr_sign($csr, null, $privkey, 365, $options, PHP_INT_MAX); + var_dump(openssl_x509_parse($cert)['serialNumber']); + ?> + --EXPECT-- +diff --git a/ext/openssl/tests/bug72165.phpt b/ext/openssl/tests/bug72165.phpt +index 50e8b54100..fb78881fc3 100644 +--- a/ext/openssl/tests/bug72165.phpt ++++ b/ext/openssl/tests/bug72165.phpt +@@ -6,8 +6,9 @@ if (!extension_loaded("openssl")) die("skip"); + ?> + --FILE-- + "hello", 1 => "world"); +-$var2 = openssl_csr_new(array(0),$var0,null,array(0)); ++$var0 = [0 => "hello", 1 => "world"]; ++$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf']; ++$var2 = openssl_csr_new([0], $var0, $options, [0]); + ?> + --EXPECTF-- + Warning: openssl_csr_new(): dn: numeric fild names are not supported in %sbug72165.php on line %d +diff --git a/ext/openssl/tests/bug73711.phpt b/ext/openssl/tests/bug73711.phpt +index 4e4bba8aa8..8ca0101d1a 100644 +--- a/ext/openssl/tests/bug73711.phpt ++++ b/ext/openssl/tests/bug73711.phpt +@@ -6,13 +6,16 @@ if (!extension_loaded("openssl")) die("skip openssl not loaded"); + ?> + --FILE-- + OPENSSL_KEYTYPE_DSA, + "private_key_bits" => 1024, ++ 'config' => $config, + ])); + var_dump(openssl_pkey_new([ + "private_key_type" => OPENSSL_KEYTYPE_DH, + "private_key_bits" => 512, ++ 'config' => $config, + ])); + echo "DONE"; + ?> +diff --git a/ext/openssl/tests/ecc.phpt b/ext/openssl/tests/ecc.phpt +index 0b05410c2c..1d97b1450a 100644 +--- a/ext/openssl/tests/ecc.phpt ++++ b/ext/openssl/tests/ecc.phpt +@@ -4,9 +4,11 @@ openssl_*() with OPENSSL_KEYTYPE_EC + + --FILE-- + "secp384r1", + "private_key_type" => OPENSSL_KEYTYPE_EC, ++ "config" => $config, + ); + echo "Testing openssl_pkey_new\n"; + $key1 = openssl_pkey_new($args); +@@ -15,6 +17,7 @@ var_dump($key1); + $argsFailed = array( + "curve_name" => "invalid_cuve_name", + "private_key_type" => OPENSSL_KEYTYPE_EC, ++ "config" => $config, + ); + + $keyFailed = openssl_pkey_new($argsFailed); +diff --git a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt +index b119346fe1..d435a53e30 100644 +--- a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt ++++ b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt +@@ -100,18 +100,19 @@ echo "\n"; + $err_pem_no_start_line = '0480006C'; + + // PKEY ++$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf']; + echo "PKEY errors\n"; + // file for pkey (file:///) fails when opennig (BIO_new_file) +-@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file); ++@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file, null, $options); + expect_openssl_errors('openssl_pkey_export_to_file opening', ['10000080']); + // file or private pkey is not correct PEM - failing PEM_read_bio_PrivateKey +-@openssl_pkey_export_to_file($csr_file, $output_file); ++@openssl_pkey_export_to_file($csr_file, $output_file, null, $options); + expect_openssl_errors('openssl_pkey_export_to_file pem', ['1E08010C']); + // file to export cannot be written +-@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write); ++@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write, null, $options); + expect_openssl_errors('openssl_pkey_export_to_file write', ['10080002']); + // successful export +-@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd'); ++@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd', $options); + expect_openssl_errors('openssl_pkey_export', ['1C800064', '04800065']); + // invalid x509 for getting public key + @openssl_pkey_get_public($private_key_file); +-- +2.35.3 + diff --git a/php-8.0.27.tar.xz b/php-8.0.27.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..97c5839b2d3cdc6e38a0a13b49d558a96b0e725e Binary files /dev/null and b/php-8.0.27.tar.xz differ diff --git a/php-8.0.27.tar.xz.asc b/php-8.0.27.tar.xz.asc new file mode 100644 index 0000000000000000000000000000000000000000..5ce1592e9281ebec5914f8f2be3158f2d2c26ba7 --- /dev/null +++ b/php-8.0.27.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJKBAABCAA0FiEELBbHZdvlSgiBMPG8S5tfYAtV87QFAmO0V3EWHGNhcnVzb2dh +YnJpZWxAcGhwLm5ldAAKCRBLm19gC1XztIS+D/4oSpkmnwIJgZVkb3eGrwdOwTzu +dDg1cT/eO89AuKmEsVYCDxOGyWIUBunZkZ5sEWbvlNPM4xxxA1EN6DoNMgZal1UN +hSdx19IbmMBYAquINikasBQEvMhCJMUNqRvvLmGRndbDk8DusrIEyxv65clpt3xx +r7rzYs+06+i2MCUxI53nRX3Hl6MQ208Wx/SefKu2LrZ+5Sylz/fFpYP1kre21f+4 +Zpig5wR8WS0KyzPO7rPdYq8+SQ88pYrlxSGIbgC1WLDSODWJ2aqSfshinVkOBlMh +XdbNv9hBidQT+B0YaTLCm0SrFCpTfBcW4+4WBucjQjhwYtfC+3ldMY/tdzPBIYWI +yLfTcpsRViv1Jn4liwFsGIlFPy9CaE3e/IOQaxgh/SAeGwMVQEAkysmTNWCS7/BW +uJ/+TeEGoYkLIwbP4AIOk2YXDlr9BwaUHLqITFVgqZLEhXC2elFsPd/9B1MgGwMO +1ZcjMoULgPnMkoGhKhuCUuxug4yjBxBVROreNhtXvfmTt24GUkR65Aqm6w8S4OPO +kG3aqhSxTAOHQCbMl4PyOkUBUbVIpByiJSMOz+PAAb7SHMc3suw3MEGZTMoLD1Gh +JgCjjh0KyMEJtN8nILI85xOQeuv6zG/szwNcZWXrC6+PTndMXOACLyS0dNCevFNz +DCp3Qv9kRIty3xvUKg== +=Rb0u +-----END PGP SIGNATURE----- diff --git a/php-8.0.6-deprecated.patch b/php-8.0.6-deprecated.patch new file mode 100644 index 0000000000000000000000000000000000000000..1e6b93b3cbf0428111c844c09519792ae22a547e --- /dev/null +++ b/php-8.0.6-deprecated.patch @@ -0,0 +1,400 @@ +From 4dc8b3c0efaae25b08c8f59b068f17c97c59d0ae Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Wed, 5 May 2021 15:41:00 +0200 +Subject: [PATCH] get rid of inet_aton and inet_ntoa use inet_ntop iand + inet_pton where available standardize buffer size + +--- + ext/sockets/sockaddr_conv.c | 4 ++++ + ext/sockets/sockets.c | 48 +++++++++++++++++++++++++------------ + ext/standard/dns.c | 16 ++++++++++++- + main/network.c | 20 ++++++++++++++-- + 4 files changed, 70 insertions(+), 18 deletions(-) + +diff --git a/ext/sockets/sockaddr_conv.c b/ext/sockets/sockaddr_conv.c +index 57996612d2d7e..65c8418fb3a6f 100644 +--- a/ext/sockets/sockaddr_conv.c ++++ b/ext/sockets/sockaddr_conv.c +@@ -87,7 +87,11 @@ int php_set_inet_addr(struct sockaddr_in *sin, char *string, php_socket *php_soc + struct in_addr tmp; + struct hostent *host_entry; + ++#ifdef HAVE_INET_PTON ++ if (inet_pton(AF_INET, string, &tmp)) { ++#else + if (inet_aton(string, &tmp)) { ++#endif + sin->sin_addr.s_addr = tmp.s_addr; + } else { + if (strlen(string) > MAXFQDNLEN || ! (host_entry = php_network_gethostbyname(string))) { +diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c +index 16ad3e8013a4c..85c938d1b97b1 100644 +--- a/ext/sockets/sockets.c ++++ b/ext/sockets/sockets.c +@@ -220,8 +220,10 @@ zend_module_entry sockets_module_entry = { + ZEND_GET_MODULE(sockets) + #endif + ++#ifndef HAVE_INET_NTOP + /* inet_ntop should be used instead of inet_ntoa */ + int inet_ntoa_lock = 0; ++#endif + + static int php_open_listen_sock(php_socket *sock, int port, int backlog) /* {{{ */ + { +@@ -1082,10 +1084,12 @@ PHP_FUNCTION(socket_getsockname) + struct sockaddr_in *sin; + #if HAVE_IPV6 + struct sockaddr_in6 *sin6; +- char addr6[INET6_ADDRSTRLEN+1]; ++#endif ++#ifdef HAVE_INET_NTOP ++ char addrbuf[INET6_ADDRSTRLEN]; + #endif + struct sockaddr_un *s_un; +- char *addr_string; ++ const char *addr_string; + socklen_t salen = sizeof(php_sockaddr_storage); + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oz|z", &arg1, socket_ce, &addr, &port) == FAILURE) { +@@ -1106,8 +1110,8 @@ PHP_FUNCTION(socket_getsockname) + #if HAVE_IPV6 + case AF_INET6: + sin6 = (struct sockaddr_in6 *) sa; +- inet_ntop(AF_INET6, &sin6->sin6_addr, addr6, INET6_ADDRSTRLEN); +- ZEND_TRY_ASSIGN_REF_STRING(addr, addr6); ++ inet_ntop(AF_INET6, &sin6->sin6_addr, addrbuf, sizeof(addrbuf)); ++ ZEND_TRY_ASSIGN_REF_STRING(addr, addrbuf); + + if (port != NULL) { + ZEND_TRY_ASSIGN_REF_LONG(port, htons(sin6->sin6_port)); +@@ -1117,11 +1121,14 @@ PHP_FUNCTION(socket_getsockname) + #endif + case AF_INET: + sin = (struct sockaddr_in *) sa; ++#ifdef HAVE_INET_NTOP ++ addr_string = inet_ntop(AF_INET, &sin->sin_addr, addrbuf, sizeof(addrbuf)); ++#else + while (inet_ntoa_lock == 1); + inet_ntoa_lock = 1; + addr_string = inet_ntoa(sin->sin_addr); + inet_ntoa_lock = 0; +- ++#endif + ZEND_TRY_ASSIGN_REF_STRING(addr, addr_string); + + if (port != NULL) { +@@ -1154,10 +1161,12 @@ PHP_FUNCTION(socket_getpeername) + struct sockaddr_in *sin; + #if HAVE_IPV6 + struct sockaddr_in6 *sin6; +- char addr6[INET6_ADDRSTRLEN+1]; ++#endif ++#ifdef HAVE_INET_NTOP ++ char addrbuf[INET6_ADDRSTRLEN]; + #endif + struct sockaddr_un *s_un; +- char *addr_string; ++ const char *addr_string; + socklen_t salen = sizeof(php_sockaddr_storage); + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oz|z", &arg1, socket_ce, &arg2, &arg3) == FAILURE) { +@@ -1178,9 +1187,9 @@ PHP_FUNCTION(socket_getpeername) + #if HAVE_IPV6 + case AF_INET6: + sin6 = (struct sockaddr_in6 *) sa; +- inet_ntop(AF_INET6, &sin6->sin6_addr, addr6, INET6_ADDRSTRLEN); ++ inet_ntop(AF_INET6, &sin6->sin6_addr, addrbuf, sizeof(addrbuf)); + +- ZEND_TRY_ASSIGN_REF_STRING(arg2, addr6); ++ ZEND_TRY_ASSIGN_REF_STRING(arg2, addrbuf); + + if (arg3 != NULL) { + ZEND_TRY_ASSIGN_REF_LONG(arg3, htons(sin6->sin6_port)); +@@ -1191,11 +1200,14 @@ PHP_FUNCTION(socket_getpeername) + #endif + case AF_INET: + sin = (struct sockaddr_in *) sa; ++#ifdef HAVE_INET_NTOP ++ addr_string = inet_ntop(AF_INET, &sin->sin_addr, addrbuf, sizeof(addrbuf)); ++#else + while (inet_ntoa_lock == 1); + inet_ntoa_lock = 1; + addr_string = inet_ntoa(sin->sin_addr); + inet_ntoa_lock = 0; +- ++#endif + ZEND_TRY_ASSIGN_REF_STRING(arg2, addr_string); + + if (arg3 != NULL) { +@@ -1527,12 +1539,14 @@ PHP_FUNCTION(socket_recvfrom) + struct sockaddr_in sin; + #if HAVE_IPV6 + struct sockaddr_in6 sin6; +- char addr6[INET6_ADDRSTRLEN]; ++#endif ++#ifdef HAVE_INET_NTOP ++ char addrbuf[INET6_ADDRSTRLEN]; + #endif + socklen_t slen; + int retval; + zend_long arg3, arg4; +- char *address; ++ const char *address; + zend_string *recv_buf; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "Ozllz|z", &arg1, socket_ce, &arg2, &arg3, &arg4, &arg5, &arg6) == FAILURE) { +@@ -1590,7 +1604,11 @@ PHP_FUNCTION(socket_recvfrom) + ZSTR_LEN(recv_buf) = retval; + ZSTR_VAL(recv_buf)[ZSTR_LEN(recv_buf)] = '\0'; + ++#ifdef HAVE_INET_NTOP ++ address = inet_ntop(AF_INET, &sin.sin_addr, addrbuf, sizeof(addrbuf)); ++#else + address = inet_ntoa(sin.sin_addr); ++#endif + + ZEND_TRY_ASSIGN_REF_NEW_STR(arg2, recv_buf); + ZEND_TRY_ASSIGN_REF_STRING(arg5, address ? address : "0.0.0.0"); +@@ -1617,11 +1635,11 @@ PHP_FUNCTION(socket_recvfrom) + ZSTR_LEN(recv_buf) = retval; + ZSTR_VAL(recv_buf)[ZSTR_LEN(recv_buf)] = '\0'; + +- memset(addr6, 0, INET6_ADDRSTRLEN); +- inet_ntop(AF_INET6, &sin6.sin6_addr, addr6, INET6_ADDRSTRLEN); ++ memset(addrbuf, 0, INET6_ADDRSTRLEN); ++ inet_ntop(AF_INET6, &sin6.sin6_addr, addrbuf, sizeof(addrbuf)); + + ZEND_TRY_ASSIGN_REF_NEW_STR(arg2, recv_buf); +- ZEND_TRY_ASSIGN_REF_STRING(arg5, addr6[0] ? addr6 : "::"); ++ ZEND_TRY_ASSIGN_REF_STRING(arg5, addrbuf[0] ? addrbuf : "::"); + ZEND_TRY_ASSIGN_REF_LONG(arg6, ntohs(sin6.sin6_port)); + break; + #endif +diff --git a/ext/standard/dns.c b/ext/standard/dns.c +index 41b98424edb60..6efdbbe894b46 100644 +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -228,6 +228,9 @@ PHP_FUNCTION(gethostbynamel) + struct hostent *hp; + struct in_addr in; + int i; ++#ifdef HAVE_INET_NTOP ++ char addr4[INET_ADDRSTRLEN]; ++#endif + + ZEND_PARSE_PARAMETERS_START(1, 1) + Z_PARAM_PATH(hostname, hostname_len) +@@ -255,7 +258,11 @@ PHP_FUNCTION(gethostbynamel) + } + + in = *h_addr_entry; ++#ifdef HAVE_INET_NTOP ++ add_next_index_string(return_value, inet_ntop(AF_INET, &in, addr4, INET_ADDRSTRLEN)); ++#else + add_next_index_string(return_value, inet_ntoa(in)); ++#endif + } + } + /* }}} */ +@@ -266,7 +273,10 @@ static zend_string *php_gethostbyname(char *name) + struct hostent *hp; + struct in_addr *h_addr_0; /* Don't call this h_addr, it's a macro! */ + struct in_addr in; +- char *address; ++#ifdef HAVE_INET_NTOP ++ char addr4[INET_ADDRSTRLEN]; ++#endif ++ const char *address; + + hp = php_network_gethostbyname(name); + if (!hp) { +@@ -281,7 +291,11 @@ static zend_string *php_gethostbyname(char *name) + + memcpy(&in.s_addr, h_addr_0, sizeof(in.s_addr)); + ++#ifdef HAVE_INET_NTOP ++ address = inet_ntop(AF_INET, &in, addr4, INET_ADDRSTRLEN); ++#else + address = inet_ntoa(in); ++#endif + return zend_string_init(address, strlen(address), 0); + } + /* }}} */ +diff --git a/main/network.c b/main/network.c +index 2c504952b2dd1..7f2f714ec42df 100644 +--- a/main/network.c ++++ b/main/network.c +@@ -236,8 +236,12 @@ PHPAPI int php_network_getaddresses(const char *host, int socktype, struct socka + } while ((sai = sai->ai_next) != NULL); + + freeaddrinfo(res); ++#else ++#ifdef HAVE_INET_PTON ++ if (!inet_pton(AF_INET, host, &in)) { + #else + if (!inet_aton(host, &in)) { ++#endif + if(strlen(host) > MAXFQDNLEN) { + host_info = NULL; + errno = E2BIG; +@@ -555,7 +559,11 @@ PHPAPI int php_network_parse_network_address_with_port(const char *addr, zend_lo + goto out; + } + #endif ++#ifdef HAVE_INET_PTON ++ if (inet_pton(AF_INET, tmp, &in4->sin_addr) > 0) { ++#else + if (inet_aton(tmp, &in4->sin_addr) > 0) { ++#endif + in4->sin_port = htons(port); + in4->sin_family = AF_INET; + *sl = sizeof(struct sockaddr_in); +@@ -617,15 +625,19 @@ PHPAPI void php_network_populate_name_from_sockaddr( + } + + if (textaddr) { +-#if HAVE_IPV6 && HAVE_INET_NTOP ++#ifdef HAVE_INET_NTOP + char abuf[256]; + #endif +- char *buf = NULL; ++ const char *buf = NULL; + + switch (sa->sa_family) { + case AF_INET: + /* generally not thread safe, but it *is* thread safe under win32 */ ++#ifdef HAVE_INET_NTOP ++ buf = inet_ntop(AF_INET, &((struct sockaddr_in*)sa)->sin_addr, (char *)&abuf, sizeof(abuf)); ++#else + buf = inet_ntoa(((struct sockaddr_in*)sa)->sin_addr); ++#endif + if (buf) { + *textaddr = strpprintf(0, "%s:%d", + buf, ntohs(((struct sockaddr_in*)sa)->sin_port)); +@@ -862,7 +874,11 @@ php_socket_t php_network_connect_socket_to_host(const char *host, unsigned short + + in4->sin_family = sa->sa_family; + in4->sin_port = htons(bindport); ++#ifdef HAVE_INET_PTON ++ if (!inet_pton(AF_INET, bindto, &in4->sin_addr)) { ++#else + if (!inet_aton(bindto, &in4->sin_addr)) { ++#endif + php_error_docref(NULL, E_WARNING, "Invalid IP Address: %s", bindto); + goto skip_bind; + } +From e5b6f43ec7813392d83ea586b7902e0396a1f792 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 6 May 2021 14:21:29 +0200 +Subject: [PATCH] get rid of inet_addr usage + +--- + main/fastcgi.c | 4 ++++ + sapi/litespeed/lsapilib.c | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/main/fastcgi.c b/main/fastcgi.c +index 071f69d3a7f0..c936d42405de 100644 +--- a/main/fastcgi.c ++++ b/main/fastcgi.c +@@ -688,8 +688,12 @@ int fcgi_listen(const char *path, int backlog) + if (!*host || !strncmp(host, "*", sizeof("*")-1)) { + sa.sa_inet.sin_addr.s_addr = htonl(INADDR_ANY); + } else { ++#ifdef HAVE_INET_PTON ++ if (!inet_pton(AF_INET, host, &sa.sa_inet.sin_addr)) { ++#else + sa.sa_inet.sin_addr.s_addr = inet_addr(host); + if (sa.sa_inet.sin_addr.s_addr == INADDR_NONE) { ++#endif + struct hostent *hep; + + if(strlen(host) > MAXFQDNLEN) { +diff --git a/sapi/litespeed/lsapilib.c b/sapi/litespeed/lsapilib.c +index a72b5dc1b988..305f3326a682 100644 +--- a/sapi/litespeed/lsapilib.c ++++ b/sapi/litespeed/lsapilib.c +@@ -2672,8 +2672,12 @@ int LSAPI_ParseSockAddr( const char * pBind, struct sockaddr * pAddr ) + ((struct sockaddr_in *)pAddr)->sin_addr.s_addr = htonl( INADDR_LOOPBACK ); + else + { ++#ifdef HAVE_INET_PTON ++ if (!inet_pton(AF_INET, p, &((struct sockaddr_in *)pAddr)->sin_addr)) ++#else + ((struct sockaddr_in *)pAddr)->sin_addr.s_addr = inet_addr( p ); + if ( ((struct sockaddr_in *)pAddr)->sin_addr.s_addr == INADDR_BROADCAST) ++#endif + { + doAddrInfo = 1; + } +From 99d67d121acd4c324738509679d23acaf759d065 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Thu, 6 May 2021 16:35:48 +0200 +Subject: [PATCH] use getnameinfo instead of gethostbyaddr + +--- + ext/standard/dns.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +diff --git a/ext/standard/dns.c b/ext/standard/dns.c +index edd9a4549f5c..540c777faaba 100644 +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -169,20 +169,30 @@ PHP_FUNCTION(gethostbyaddr) + static zend_string *php_gethostbyaddr(char *ip) + { + #if HAVE_IPV6 && HAVE_INET_PTON +- struct in6_addr addr6; +-#endif +- struct in_addr addr; +- struct hostent *hp; ++ struct sockaddr_in sa4; ++ struct sockaddr_in6 sa6; ++ char out[NI_MAXHOST]; + +-#if HAVE_IPV6 && HAVE_INET_PTON +- if (inet_pton(AF_INET6, ip, &addr6)) { +- hp = gethostbyaddr((char *) &addr6, sizeof(addr6), AF_INET6); +- } else if (inet_pton(AF_INET, ip, &addr)) { +- hp = gethostbyaddr((char *) &addr, sizeof(addr), AF_INET); +- } else { +- return NULL; ++ if (inet_pton(AF_INET6, ip, &sa6.sin6_addr)) { ++ sa6.sin6_family = AF_INET6; ++ ++ if (getnameinfo((struct sockaddr *)&sa6, sizeof(sa6), out, sizeof(out), NULL, 0, NI_NAMEREQD) < 0) { ++ return zend_string_init(ip, strlen(ip), 0); ++ } ++ return zend_string_init(out, strlen(out), 0); ++ } else if (inet_pton(AF_INET, ip, &sa4.sin_addr)) { ++ sa4.sin_family = AF_INET; ++ ++ if (getnameinfo((struct sockaddr *)&sa4, sizeof(sa4), out, sizeof(out), NULL, 0, NI_NAMEREQD) < 0) { ++ return zend_string_init(ip, strlen(ip), 0); ++ } ++ return zend_string_init(out, strlen(out), 0); + } ++ return NULL; /* not a valid IP */ + #else ++ struct in_addr addr; ++ struct hostent *hp; ++ + addr.s_addr = inet_addr(ip); + + if (addr.s_addr == -1) { +@@ -190,13 +200,13 @@ static zend_string *php_gethostbyaddr(char *ip) + } + + hp = gethostbyaddr((char *) &addr, sizeof(addr), AF_INET); +-#endif + + if (!hp || hp->h_name == NULL || hp->h_name[0] == '\0') { + return zend_string_init(ip, strlen(ip), 0); + } + + return zend_string_init(hp->h_name, strlen(hp->h_name), 0); ++#endif + } + /* }}} */ + diff --git a/php-fpm.conf b/php-fpm.conf index 750f987f4f19f3e51468cfc7b78a44fed53cc0fa..53a07b6e861635e74a3c63c2413dc62f16a65370 100644 --- a/php-fpm.conf +++ b/php-fpm.conf @@ -5,6 +5,11 @@ ; All relative paths in this configuration file are relative to PHP's install ; prefix. +; Include one or more files. If glob(3) exists, it is used to include a bunch of +; files from a glob(3) pattern. This directive can be used everywhere in the +; file. +include=/etc/php-fpm.d/*.conf + ;;;;;;;;;;;;;;;;;; ; Global Options ; ;;;;;;;;;;;;;;;;;; @@ -128,8 +133,5 @@ daemonize = yes ; used in logs and stats. There is no limitation on the number of pools which ; FPM can handle. Your system will tell you anyway :) -; Include one or more files. If glob(3) exists, it is used to include a bunch of -; files from a glob(3) pattern. This directive can be used everywhere in the -; file. -include=/etc/php-fpm.d/*.conf +; See /etc/php-fpm.d/*.conf diff --git a/php-keyring.gpg b/php-keyring.gpg index 0774fa8fe0634989891fac9fc1a43ac78946d9d2..ff1867433d5a57292e195936c4e04e7847f03633 100644 --- a/php-keyring.gpg +++ b/php-keyring.gpg @@ -1,780 +1,597 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -mQINBFg4q4YBEAD50HOLDAVpW88rUHnX/TYTCLpqmHMKXPjuf1l3ZEkY3PXF6wqm -qaWWMPeWJFsik3cMebtLQzsgXHl4xDUBQhOOtdfax2ZKBHQmoUknw2dKkqdkVLh8 -Xpu8tw00SmcTiAFVCA2+HOqQ+Drq9NUpnMeJpJZiZu84eZbJBEzgabi0s4jf67NH -7E3ENFb8DRilcM1aNT0rD1xVKR1spMKmBmOoJ/pj5OlWNH34/qdeqIrvKB46/pFE -LH8SRiorYTDhQTaS0PlT3LxRqVWo8+JlgnFIe96p2d7JF1A1DwQUJerRY4789gNY -zjW4fh1tc6jtTE2opbLVfbqujHsxrHFKoBO4CPBcPtzf6TUPxDevvBh9omsd+V5F -W7k/VFIiWFQv0RfQe8nwkNjmA0U3TOX3xKrU+59RU6w+uOuQy564jxg691a7peiQ -2Y90FqIVUlEL9Guf8U9ezp1DGo/UhnRNJcPmSwhYRcKMUV53mDqWQW8p7XXjSqnV -VF3cP9bc94UNAf28kXvnJBMGOZwp19dqD7ws+25WM6qQ7u7qQoGZzSI4Wn0ZaXnF -rXwQXfY4+R20XSDt3oxGP8h08VSz09Xd3C7XV8Eg+0RrTSXVtZruAdcOIE/AWK4a -BpN7yfGlMTfOOoYZa5tPFYf906yE56vtHcfJttJ7CO+kQMIW5PgRVMAE/QARAQAB -tB5FcmljIEEgTWFubiA8ZXJpY0BzaXh0aHJlZS5tZT6JAlEEEwEKADsCGwMFCwkI -BwMFFQoJCAsFFgIDAQACHgECF4AWIQSv2Gkf2u3wO99uRgVj8VqbcVN2ygUCW03x -6wIZAQAKCRBj8VqbcVN2yvQZEACQM5hZtuZb17jKIj4kQwKNakb3aDICwfq5NHmU -J+i7edGxWfuojEZS4pTQSxVw1tLiGDtNbU6bCLZiNVdi512j4zqU4b3DUBAdeE/u -VJnyRj7kUE/wrKBgXsAdANgwkSYux4cVfRMf98/+BE3K9hYqTvLHjiC/AzikajTm -vth/RKWCPYBN+5Sj31NSrRbTPYB4kB9jJE7F0B3tEEB2J6vZ8J9IEF8qo6hNpz5v -PxpeleSG8mi3ldALA4fuc6g3BqrkzrdcG09Qjzfzs5aIeTaS/5fDKTW2BS2X8zl7 -YjEatL8RH1jDuY+hnmEDmA98b0d1VLgcitd1zGGtrONyx3jcqXh0xQJNuyfm2Q+U -4LQmEglRU8Wh6szWVv8OdJA63cE0SQtuMN9TzeEvXWedOTMd/sVbMLK756qIJJXZ -I7fNZoTtuPbSqhY9cx4o7NF3UAk7xB5nbLYuJsOjL2/mZpqicWJITXtFXP29VIo2 -KXTwY7KbS3sFvxfz3jg9JhGuwQNgSVdsf7JbMhElcFon+4FU+94nTzUCvdy0MjHn -UYUbjKcb9V/8n6EbRrF3qSDv6FTcZnvP071yWqBQ8yKkdREZJGFVSh11kDbQ4cSH -1+8pyl2ZaSbz+W2Kw8gc0JtNswjqmZiPrNrmTAnuld6drYg1OxflAnEiMaIkwSaS -pMY+KbQdRXJpYyBBIE1hbm4gPGVyaWNAZWFtYW5uLmNvbT6JAjcEEwEKACEFAlg4 -q4YCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQY/Fam3FTdsoUTRAAg2YD -JkmQlKRdm0u9Oh2oY+e16UI+ceOaZ0gryfCswM/rNieqsjiJJP5N0CYTeyOg/RkH -QOAUuVft65bjjWSpTHY6LS9XYcYg5mt4StTCib5q9PhW78gOnkE3tm6Ql5njpcUh -io5O9qCGz2FgXJW07pOFSrOePTL4BH3oxQnb0PyNTWXQLWo9Sa5XlBwqHgBFauyq -7J75HlfD7uyKbQIb4Eu/Ba+5uAPesyeeBWt0D9pA/vy39UXcXgzB80R8mVvqFR/x -pDkeo8ce/J2G0BJTNSA0GqqiqdKKlwbYhd3r4LxziWUMW3hvI+PFtqxZlBLI17wO -4GIVqQt6J8tDo9e9gbjPwEVtoNDBt+3ymOdqoGZtlMG66/VEvrtmQMPBY8VVjKDP -vupVXhobyJjnj2NLj0a9xhRuJNhX8WGk4Td+U/n1j+SuOmhVQN9dDhdcorsX2vuB -6Wj7sk22JxVhPu9jfZqIWUER6gO6lJTOhP5M2A2xKJc2CmwRwZ7OXEc265MJNY7q -EzNM0fno4y8JMPJn6+CVimjKHolFPTZW9YbhKwgaG564XoypW1GAbesiyhsdIE8R -e8mXl6/1BGjXVgjZ/xzTU1grrDobWNX7sbh4+3EdEiUDQAzuURvW3lyW0Ulfizx4 -Ofc06ejmgNDlcUILq3EKauoLnD+/jjPxCKZfsUi0GUVyaWMgQSBNYW5uIDxlcmlj -QGVhbS5tZT6JAjcEEwEKACEFAlg4rFwCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgEC -F4AACgkQY/Fam3FTdsr/ShAAxODmai32oTE2V2fmtffhmMiQ+5yHo7dFfG+qzx7s -KTpJIvbRWoY2vMUlNjr+czm5QOugDZu2rYvPajkQY9qO6JeX/y70pL+rIFUR73Lk -t0dH60EDVBUBiRUaFr4ggijjFwcGiFtfV2GE6UqcwKLL5/dMRnQOvXcDAVmW+5+i -8R5fXJ2/EYOQrXDaMBLllk/Qu5BwCS9a1xt8w0l3BpiYllZzY5SvRd3dIfutKvRT -MTrdNMasDyrYG7OqLwRD7rW4LgT8Qe0WuHCHRXTy3TJQEz2F5s8ThdXUgoi2Gm8q -UAn+sqzKzE5dWj+AnJ9D+rrzRxf/Mz8xe9Z4ZX7LJfWADKXO9xUCGpaoE/ajY/LQ -vnqgdl1JmSK8vy27KiDyWRdYD79NTESRfVgUuRZameVi8/JyLIUrkB/Bji98fAX8 -y859mbFbhSu/yb1YlUR4YS/PU2Qisp8HwQUPSjJNF9zT9DBmqXtdfV713Yry+xwH -3letiyd81D5NzgxJGv3lMqTyusT9NOtHof1WzDQFgRayma8ZwamZ6odKbnFiA8aZ -QiJFgniJYMICkEfbfMrwazgnJ/tLDsFk3UdHC1LNPQ4gvkW4oC2HynsRXEoYb9b7 -LPwsb1HrWYI+SpdBEzW8DZq1bK7hiUvMWI/ufQSoqrPICQxrU14rdb5VQ/K6Gqgi -/ru0HEVyaWMgQSBNYW5uIDxlcmljQHRvem55LmNvbT6JAjYEMAEKACAWIQSv2Gkf -2u3wO99uRgVj8VqbcVN2ygUCWz7hSgIdAAAKCRBj8VqbcVN2ytIeEAC9rHbm7aqo -tLp7yt4b+ua2usIXjztsSI5jT9BW7BLFPzajKIqmQSGWe37IlmtQrwU1YzSarT0p -Dd3/R97m8Al3PeCrlShi/3o6py+2PakqHz2nAwC7BKI58W2VhdkDnidLSGbpb/X6 -lePIEzWiKR38u7DZ0rnZW/KEcEkl+cCph0R5C15TgjMFnNm2t+DrPtwvxZ8St0KX -UwKhYJUHB/hkOuQRnheyLRFHGkY+kxUuWvGSavTXZMPfZHzSpPH8+Dk42WJAjAUM -dwNwkMMQItKM+5epZqzXat7N/3ZNNeV6fwWTsMTcOaFmrRiNnk9KTBtNNd3ny/n0 -ZswcujjTOQW+Hjx6Qx+kWr258Z1s9NvDoNJAtZBYAKGrQe7CkQ9h6uwoY1cZ2jD6 -BzPoYWt8kHyh2FcVJyKVcG7Gupy1f4j4YEsUjHUXuo1Gqrjm6kThGaa6YXbG7h0g -6CoXv7cpWg57ir1H/noXtdr81XXPrybODEKQsHVRAfQrV0gb7i60YYV5zsL+FPeC -SU6a85U0oIR9TsL+y3h8jCGKD44EDG+ZzRzi4cIyDdFi5cX8gcMEFsMfRGBjQZcE -7vI2JpCgv6PIhH+dCWod2yKQe/hHwvQmztle+4lh31F8SDSqj0fQzOmdbacwLiPo -LhF8yCEkV+6BDVbJGwh1R5T94nibcvIzvLQgRXJpYyBNYW5uIDxlcmljLm1hbm5A -dmFjYXNhLmNvbT6JAkMEMAEKAC0WIQSv2Gkf2u3wO99uRgVj8VqbcVN2ygUCZGOd -MQ8dIExlZnQgdGhlIHRlYW0ACgkQY/Fam3FTdsoVAhAA5493PVYJP6HAx1eUz57b -EkxwzU7Nj9X5ZvaW4nlPkjpir9PMp4KZQHfoG+pO/5Q7j0dUbv601uxY0nZyCKb9 -vc2bDC9BOxQwGtqPLZqD0dgf3I5Ybn+EiYF9PsPdmbz1jwxrHEgxsk+qEiTIv4TE -PFlPHXzoPc09vwnUhRNkAxuhhI3Noocf8igpF1o1aC4VfYqW3P6WCD48xoevYd+B -4Svl1NZKwoUp+Gf2b7nRNjP8VyxyxK/xwg6EQbSbzZF+XLIVO/q1lfkKN5I/Jk32 -7aiSm9wqkh0H5FgzLXP4pwnGLGw3OU92BluGEWiBuSigThEse81+h/LtEM46e3fN -sNT4bEUEvvQrJAFj2XaIs4zG1LxvvvkycjGXO4VzdrTTpbwiw+3XQ8hwjdN+W86k -ryJhmGpryO/TWREwWnTxIoktp3bgtUjfzpFj/ziYmyEMkW1U8Wtc/808vP3w5rHx -ImArYeYxDdqxO/ZmJKYcjOSX5BITeq8C9/eoKcABhnr0cj6U9BZBUcT1EgRC9uK6 -06btn21U/L+BlAsNE1MbvX24p8mLAPd/QI/OtSbojBnc3MVw4QTGRrnn/Md78vLZ -4UnUHoExeqOGGRmGroVj6kOZk6swafDySA4myrGzSqjCuXKxkyKcC00AOrjG3gDf -C6zlHM/59YYY9LU2lhsMM3O0HEVyaWMgTWFubiA8ZXJpY21hbm5AcGhwLm5ldD6J -Ak4EEwEKADgWIQSv2Gkf2u3wO99uRgVj8VqbcVN2ygUCZGOc2AIbAwULCQgHAgYV -CgkICwIEFgIDAQIeAQIXgAAKCRBj8VqbcVN2yq/cEACENjv93ejG3djMPkcZ0mGo -vQiPqmoEylb8ZsXXZ4rGeebPRWK1PuXNrIPtQfNTNNPxnBJus5ofZIhQUyX/++Av -g9btpSliBKXTSajC9rOnUIbbTzkHwfw3WtckqBRi5B92Zyjyp+FrSIjphYfrkJIE -26mXmZoIHBeTpxfcLZdUncA/qvPhudUkuiFzzw9DBJffeFYQdjFCHaYnQRvjRBMH -6lLaJTZbb4yF3fevIAasIhmh3vq4KQ2B76+KiyEM6UrEMDWPvu0mIA7cUmSLHUs4 -zXdJCZql6o/secZ+Q09lI1pmI5w7Ezqs8AaTWwFRlJ+S2cO7iB1bvjIL8hwKrJBl -XJdXc5W9q2QFcfP3TKN7nMLpgo/chT8JRThcx1av0p9imd+LjYkXUpP0bwi/fcdu -kyKSAmsm0eBTGgpdDSvOhPeCHiNQryrg49oJEFUITcypXDJzgmiPT/3tfj8eprvy -l/zvjEo1FjkrXw0Mz6y7dbBh+nuSQSlzZgwcOPNR6dBklEoc4gleDArSmJtIzjWi -QxkUTej0bwN0xQxBGp4Iz9xumK9+acIBWoaTlUUthxbFCyrRvqeWpO/2T5+ofda0 -kBLU0PNfVrGsnS098o9CVlO8EBkinooN87Uy+i+dU7bV6sbfeUjaj7R+idfeTqA+ -5Aptc1kbhBxpJMBX1ZSnQbkCDQRYOK0AARAAzShopuyFAevGCfWGPBE2YJA6JxZW -0tN++/oj6bG+QCx2+ehO+5eVlxP8cNzu6mBUAA15sPRoKq1+JUM+l0dJHvpMgO5D -nRMUBUYK4FrSbzsSFnDkgh1G9LD8vbidY/4pez6MQTw2ei25jzBYDnmlwBdXN0pC -HFMIBawLv+GFO95HCZd9f9NIZ4TAj6IgLKo8rMdjzLNCICAmBWPwflc1NrJ34TXC -NLf+zAjx/8ahqdVyXnVverzpfLKYI3WamTRITbqyWo4qqqqPjPlZpXIQ6DyNH+2z -6ogG/+no3iJape5fC6TpEZiKJMYcO53ya+byxhyBgzJnVqLRiOIddUTXDbqAQywM -Q9XTYka+d6s6IEiO70VGTrV+aZffO9yKoqL1mB9ZqdELunkjkHzFYuFQ0zYdCwwK -VwpLDD9A24gdYq9Y21co9BPaowWNrjz2Zc4Syr38vg35ZvZy4TxcTFl707VkUeAq -axPrm5KEwAUeCvWcejQnAgsN3roJ24qIjI9k1We/kV5LeAw92pCHsCOLDXPnky54 -fGlSbVkE3iY2DeFC3l6juMvVMzw2VTbTfstyxve7gVKhcFz0+tHASIWIQD3ekrUJ -BHCOB78l5Q861D7QPM6vpBAg/BtVqtxKNR4Qax+Fm1rKEm2TyWrATzUmWv3p3MUb -rnYmFTFUHjTVqPEAEQEAAYkEPgQYAQoACQUCWDitAAIbAgIpCRBj8VqbcVN2ysFd -IAQZAQoABgUCWDitAAAKCRC+xVXiKhQ1U+QED/wLMjiI8WIVYNZvGDmTcL4IBuPI -MCh/2XzxT0nN43fhY0B/xtWjPYlgCBardZEJE11VtTQjUe8DGaK93eaq8ngU5Ekb -ti03AZbJgrGHSPL4LsWuI4wFQaln2E/DAX2IhMEgs7xDUi9oTHltwpNqGa0siH0S -fVJV02vUzQrkcKnIHzjMea2yTJZpQYZcczGbPbFP13Ur5fngYlLTEvKt5j36HFgw -QVk/dWjTBOEZIsIJ/bqgxsCCztnxpewGqqjB3bdZD4emOqsZoVfco9wuFvwlZdgF -ZEkVeis2otn940OQO3b9+qaTgKoVexGQcodEsntyh/QBAYlMgDWUMyWljxvDHDJa -qIwiUdZRdchoDxopdu8+toOaNy4nJY5QYgZL8nMqesElYGJ4DzpE0vxjrkEaSN4x -1vErxPOdmPrDhyePTxfa6FAbvf8NM5GOv3GrIDiZ+6RVK04R+sKz/hj9le1dPQwD -Fe4Ko+W3Wa7sEWi8IxUXeT3vBAai1sfJ7XIVCqevDcuwc79E3V8/cmmqPWv8NqkG -+tV3SsKJZJJH5bFcefhXrCx5Ov0m+5SmWh6eYO9iMQL+kfOEh5/qx2jz6hi2khom -VAhjtqQvM2cGjQ+utiqgIk0a7JL2Al8CVw1zrr4/xivQA5/rz+f5nSYgCOyTgfWp -ttlCZIwT+f6bSi4nGAatEACVmL2/bl5XUuw/omQMBKb9sRaC2j9r/NAFplnCXrTL -wx+lmKEFTgLTWMrJbUrRdDXccbmr/PnDU5wr7RqwKqQr8cl/6BnxTQTiiwtYkGng -LAPDqkOui1nCgCYBNXDM49X1y7AmDpPcCBrCmhlCAOXeQkbns6u4WGsCE7FgUGQd -T+V586C5j4PdUQhmE3j/g2Okrgk515RcFc7BwZGHtzeKMkl6p/CTEJhHmvWySxjf -Mj4i3vijRpX+61DUik8jAhE6aV+ezQoLFdyVUY09K2DctnNLzHfCZcYNUEbnN4yq -SULX8Sqt+S8s9ZYtlNB8daK0pJ4AMZoXDmqox/DNzPI6jPYYwgU2rXPAGwXRXV6c -UqoofyuK0ACb6VQW75L/QH+0v7hI0Uc/WowD4DYdv2+O78Y74X3T1c4WrVqV+Qjm -W7gUq3uoJfbpDAdKxp8+6fr+a+tCH6lr8PHAXwSm4u9GDm+KUe/ZXBsXPw+iOJGy -JXvxIMGlC5gEIiQbfRd5a3FiNHn+WcOC63Vv7FVo7UMUysju5HZIatm5DMeu3KhQ -5+mOi8pFzvFNQZZdi1V1DESaP01YFKFESEAK7Gom0omf5cPkQ9I/ZACo141tqSwm -kxxJe6cqK2Dhk46YYx/Op1RAMJOHLIRCQCjl0imozZ0U0r4j8n/xCpei+EGgJOUF -pbkCDQRYOK0dARAAxbj34OlZA1kiEjolyHGVcSErfvhNxmoqOl/sP1l2vvMMHaJE -PxwrG8zKvnrpEemgP/qi13R/bruRFWMdMvXVMq61IqXBPbv6clygVFEXVKEFTaA+ -P27W1qxSwM+5FeVb8EDzI949Zd3FqLNNjuQbHAKjszZCRIaEeHib7UC5iGxlh0K5 -1o24pI0UPoK3EHAoTg2jDey8PdPNknYvYjEY5Q5TDuarpYnKBghd5jJxVSCARsel -hwvfm+Ztg1tap3ULDRtyPNDfZiLz27W31g61q0+ABwxP0ssuBGQPQWDpg5C6huGy -iwfZ9HLffae4vpAV2Thl/VaUoXU+OJhGDeSb5CA6KkiMrdF8qIDvhGtu9Sv7NRZb -d83SrPGsXa5vwzKgQI/NGN+jzHnyCXjlJXWlcFiUUml0DRpL5Pu6lU5jqDp+8UHu -fjGX/dorm5ewfaSUprtPBG0sIBW20ZXZ2QI8dnGpM0pzT9S87auMYq0QxiCm/Ogf -C1IzoWJamFyBYaJFLuocFlhyAvvBX0uSbZk1HKG0iShQO+RoRldzcCUiKzhxQQmO -kbAh5KdWJTwV6n0zbrOFLCYdiMUP6Vu6s5kAykIr7CxTbXgyVudBlmElxPIKc5Ee -e8NRlPAzddhUt2F+o/xrSx92DpWQYmjSSG3fQIwcnOnQTIa3yY48vILcsg8AEQEA -AYkCHwQYAQoACQUCWDitHQIbDAAKCRBj8VqbcVN2ylVlD/49gOcib5GxCuYJLYlp -YJRKBpptFvfgBsiq2D03w0U7Y+POi+jrHqa2LSeW6DFLGEKgL+1xJCFGKFJ/Cm2e -Ct4fpGitfaOFgLO/gdjjgPFQsuFm3840sKcXSql4w9W9Z+oPg/9duL4xDqevuv3m -OQO+R1Bt/4V+9vNk01kX1ftMRyMXhlqjPRUUp+tSQTT5KM5uxD3tLCWxcBxEiOjZ -94ngiRuFuiNSnZ16GMckEh9Mum1Y+R4wJsRaZeulrmA02aML41IkZTHALRhKyxbD -fjVeMURHM5gBhPYUVw9joxnXCzC+BRCDFw7bVL853LwgSq2gXZC0Rfdu2aBtLXWl -iGdmtv9FwKCLFrECygxbUu2fGB5/aMQ0otV2rgjaigPfhZoEQY0QasAQ4W+CR8fO -GURWosoAKpLbeUGd9/zOf253g3XoN13wwTKyjhXKENUPw8ZqvjdPO+tgNnOLUnPO -6K10ePbW4vaZdFCdixumxqZPokeBPkBPZq8oeAswkgWahKwQ7ZfgU4HTLMte3NEn -/2WZQsLUo68IMaTCKt3AHvGoYi86wtd6/3DbNMxNsWamr8SWzia/1DGM5F1o3Clr -ZetD+eZN13duF3gI/1x+++5LhWP+qxPPOzBhXZG5zJ2P3+eRwWuS79ZGfoh6w7uF -4A3rkjkKfpAIwrNI2WlAKXWdBbkCDQRYOK07ARAAtC2UG0mX0D2w7Fw9545szAPP -dyzDQjnpWBR++eAtIdOiKrYgRV3hNIVApv78Wwy9OxQS0kh/7QTYvPNn2HWFr5Kp -Qrg+xCF/lyvZOMhhTaE8/Z+ph0l3avQaCNq8rQ59xbmB5S0O79hQEB8yqblIKRiV -F1OpF4vT1i4g1FrKqAN1+wryLiOW0EydN5L++2gaf5Pq/TD5onloqXtU0+ZVizqk -WvPcQqPypXlYT5ZVnkq6RposYyOvGIi03o5XdXs8BrG9MHxv4ppZTvoOJvD0+bVj -SpSKB6Ffc6BLXrF0fDCqD1mVY+gUJx63iuxUtXK4690FlP4we+HNFzp9VScehwp2 -jgMie1YJPKIC956X8FCuXMT8bLCTbQFjolA7j5x55PBFQj/ojAB8Zi6mz6ow8iyd -ZZCXVLmNcn7Vtr2OceyuGOF+hIu2ndhv7UUTUYw3NjpUv5MByQteuEr1rSCg40nC -qEsPhkok+GL96mJ5aDwDW7l07HILGHnd7VQcowP6e2nhI9Qy2E90lDsZ4liUEnEs -NqQEXa/t/3XKc2A3S+PruVqr67kJHNDH6dbsLbaYival68iiaNCnLTWeZUOF1IQl -y146mOg8kFGJjjgzeMSrkEaQqJTVeeUEdX+or2tcnaBdPi5GRFUaRK7nr5mLQ5PA -gLCSRe6YXGNrDZWfGd8AEQEAAYkCHwQYAQoACQUCWDitOwIbIAAKCRBj8VqbcVN2 -yrKxD/9QgFZmvesPlsmr7EcHWDOAhpi+DJYwzr9ADC1VE69bXQ/5ilCBoOj2z9xh -srm/CmCNMRW9mwgFjExCyEhJbUfLUcH0bVde5fR43ZoPhi8tf2WZiLJTy559Apb6 -bowiOWMnFGcBdhxmTOeCSYTvmuvcSKQckJHfykD3R8eUIaSoN2qJJjRZ0F6xMJXJ -tVg6+oNfHQ6WdrFO0ULwDN4JywtZMtYn23h9pxvB91x5K0qvttHGZ3FOBzVVYmvK -QVRimKDTA9KpxVULlh4jrnwub+tAJIQqpaKLdwlYCCrJQ4o8CSGP5xrhfLkdHwpL -xjGePjb58xp4m+/gJdrBChk2N5xlk/XnTnT1YOeM7CsooEa3SQOV7Yws5w3buRVZ -ISqtSbi9jFZGGKq1WxK6zfp5eWLzoklsOO4Z/8Ji3bHZ1cJxw4Cu3o7UJBc36xv1 -5daGA0fUxkYarRsOQtBxGj3KZ5vbWBVSZvGUAVp0gFOUEWnIaDJrc2Mzt4CoFx/f -Z8nLOxKS0BmfRzXgT9KLlodKAwU6y+Vf9/f9Q6NcRPqyWdpYHz0hQz4+OF3yGZWK -c2vC+l31f6+HyiE5n5GyBLEth/kdmgJRDlyQqkgh9CUv5l89etp286/3Eeylhwuj -n3U4NMqkXxz7dFUYSueGezBM+GOyGFL74Cdt5moQyZjrxaVGspkCDQRgZSYzARAA -tsGzvzyAM1UgKdpJOzF5s6F1UUj8hG54zeqpu+56877oIf23j2bnBupW1zMUbAo+ -BkvcS3BmaEkGYU/9hiXcvmlLe83+rMpqSVE3ID3RFZn+bk8Vp0JAYNAXZuofMcL4 -E2Va3X8Mu3+43wLBklysxJiXydi+ix5gDCNyPnLHT6igR0s4+oWI2WHMF0qdkwCE -pKSiplfZKZGN2Sg6CQnQ2+UOm88uMSvgSO1xWyDC1ghJH6VGrBl5T6Ff/ar1lq90 -hrZyoxOVY6FYAOYqoDFMpsndi/c9wasvPpirZncV8l4NztKOvMRvaO6XI6Gr1W0V -oqhPU6mXMGq/uNiqC+gXIVmJTL3mfUTul/rpqvcBiY0dxvfTxHB7RelqJjFxoni6 -m1M/1ltBoqC9+75KijGWGdLciE4iWX+2ptieE4oMqvJJNRxuq5km10kjgXCF1r/m -lZ50zNeByo7G3+o8fdVXf+eMg+4cqM8BLrW+Pgs/zt0fWd1eqfzn3JwEy1wnQ4NY -WDY1qM+k2XJcRk6WSae03r6hAYakPLmv0Fxyches2t1RWFyOAtl7Wlel+nOx9kr0 -aYbJ51WRDFkgbGXnFvrvd9XmpkIs8+XZllu4wrUKg/63Mm6qPj3rbM1vg67MYN8x -fXTzNx/htV3OESC9SuD4Ua66Zfh8GbbDoFIiSzIK1z8AEQEAAbQyUGllcnJpY2sg -Q2hhcnJvbiAoUGllcnJpY2sgUEhQKSA8cGllcnJpY2tAcGhwLm5ldD6JAk4EEwEK -ADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQRmMARdZNJel7FwZkoavH5 -iXRp3AUCYnNM4AAKCRAoavH5iXRp3CFsD/0RYRZ/tv1/nYWRstEg8HbzwPnRlxog -BDAvQZaE/wo2W1XDEN7ZQOQPWcrbsotRQXtPQCWyxzuG2uFzGZjQsXdliEizwtc4 -4Hpo1s+W68mBX0cQPGdYqkJ+M/pB5XCzKTXhbJrmFj8f2luZldUk3Rr/aVB7/fLt -3DljYOeqkYaA9JLWdJQaEI6sXXCaXzm0wtVSg/gfjTJd0JAZc10cJjZOUOapZsRv -t/BB1N4TzwMR4T/lLqblvjOzkxbltlhgMdM6eA+3iPvuVYjOLltmTUGHioS2wKEl -TvD7z4AiMf5/vqUjnpztR22JJOaDVNcqRdSUoOXinijzJpgd3RGiCNyJidHPMyfq -4O+YKsSM5u8ovJD0WXhO5i1+iKQ7jL37oZ/g1KkukQkbjk+0P9AMSGor1Jwa1Zft -D/TAB+4fnbM9vAydEngR3jkGopWzxPg5vEK6A0GFDYY5ZpFcHXrPH+iFIWpfV9tM -8VZBAM8OapDfbcIfrbxL4nIf5vYna4RMVS3lCkzo4MTntezkJCbOOaXapird6Lcz -SUwYBDnjGBxTErHe6XsAzjY8QAqNI4+v0IqTStZmne0U0fep3q6gmEiqj+Rw6auB -WFFP2yyscre+9SK9I1C0lH6pHJcJbLyGL7kJZ2ZqUlGEtOLyB+kg6hDDK+Ev9PpD -UZnuFd7/PvNJF7QjUGllcnJpY2sgQ2hhcnJvbiA8cGllcnJpY2tAcGhwLm5ldD6J -Ak4EEwEIADgWIQQRmMARdZNJel7FwZkoavH5iXRp3AUCYnCdvQIbAwULCQgHAgYV -CAkKCwIEFgIDAQIeAQIXgAAKCRAoavH5iXRp3IY5D/4mMKbN8VdyPyiSkgTVB3Zu -6GzLl1tapw2fzlzYeS9vE9D8vF03UshdE9hKQb0qtMokblaU1cBPGrKWWPqvx0sJ -bSAZx69YKfZAiJWfHsVgvATwfMgcqlpdGHqRnEEn8fKta0+VL3GKwXW/aHAndJ6J -LT5qJ2qqMoa8VqhT5CcHo7TJ3CfMXDw7dI5TiE/MOIPuRUEwyw2JXqM2GTqSpX1d -z/PMPP/UHM2BMgT17TSSL6g69JhHNVcruYypQHNxFOBWqg5lP8iXutqS/SJ6FJEW -fKX7gLyfdA/Zj051ttqyE1i/liVfLti8Q4eZX3+/tbQn68T3jtQiYyS/Tjq9/8t5 -0t1B74FXCe8/wlScBpTazngJTxkDFY9kNScYgaCfwda9/ZF9TmhJ/rGoqpj+IH1n -WHyU6kvLylngrr5/gNqgwmc0g4/n2twYcbWBgsTX8ATLSoxdRF89hK9fnJSFS6pX -p3LRMrMrkiHg/sFuDkiEiK8At3s0eMFpyBgAmDJuiGotNtJPvNeMI6gAEjNKlMf0 -8QXbygqhhzO1BFYPHXg8QwcUItXieX2hdkMySXmVLgBQ/IaSWAQIx4iO9uKIMklG -lzbE7ZkSMLMrU7pnWBXJOu7N9aYsoLCx7rc/9C8deso8sbQvkzwu55rMyiTe14Jv -H6tFOVQrpjLMByXnhzFaq7kCDQRgZSYzARAA7Zul4lU0CKuVKTVF6WrncrrjBI5B -NYSO4cv4+Di/nb/F24yb97SjTh53CVHfnYsVwRwa4lmVJTWK3MbRDCW8T7OI8PQr -mWnyuk57e5+nGyhhv0U5z8Lwy/ozhqftZ92gR7qQmguvUQXJT9Hr2DU/a86gMuDS -HPQBSxAh8uKW3QUChM/QOukzVJW1ekYo4SFgo7vb71a0IMBPTNl1l0/0bpCZJp8M -FopRkwpNv2fQUXM2clEunnQ9YKeuhQapaRBefNj5y/u6ALY8MGPDQWIF5EJkxML7 -04+IY9VU7H/8oGXPDdkzYtrF+n32BWkiRXeMcXyk9AyHVHJCNtJvs8SzMHlWTr2+ -pBVed/8Cgw//S3ygqfJr7360lI5a5CrTbSb28UI0QIYUU6RmhdIwzpkRFz5R5+a/ -wT7BcpV9uBSbdlrBZ2tjkbd4KLJtj5F8t6ea/1tVXasIEVRcQIles8xDwFKaWP1H -l8Bla21zLCG9aBbaT4G09AruLY96T1bHvO3FvW1JQXE5e11tyoZV7hMDoaOo3FCM -6p6OrOObTzird7S/XqSBVhDeV/mOQceD7eKXnMGMT3r6rvfckyWDpbNLqnXnvU8z -yLnSG3C8rGb0B/CfBHzObq6lEHAjplzyY3mkprXk3TpQp9duH3l3epudHWTnnuA6 -aGmSzscREVCYxucAEQEAAYkCNgQYAQgAIAIbDBYhBBGYwBF1k0l6XsXBmShq8fmJ -dGncBQJib+7rAAoJEChq8fmJdGncdxMP/RRqJrNUEM5Rg/8ZWkArMMhAzZZhZbO3 -7eOLLPUYHzBCQmU2/uXv54g1xhxYpGal9mI3myKNsxdIkTe4PfRJee4KG58RT6MS -Ux8/vWjTNDJNPusoRFnpCa8znjw6Mbe2ZJPzRmkEPrb0Cd5weGTqs/DOh2i49ErH -9IEE8Dqegl2fybJzcWPUFQkMXkIEhovpIFKt5HSdcWyGnuGaxhzjoHWuGCKPRzti -IU2WNailldhRwLp6tVpYVWxmxT7l15MzigWXuYiuS4eG0ATuQHUxs4PJjL1K+g2k -ubxH54hhY3OaXT2olh4YLWpPcqZa0p0lXPRiUXb6pfJdJUwxpGxnUqcPvtA3tktM -67OwNTi2mwE8WKGKFI3DHtkNG3y5hn/OuHhveTySu4DFAEFvlgDwJAhrPTR4uMuz -B0hCcAIm82EpitV07aD1s8zZ0DIruHoZ2SWVVNTBlfreBP+dAgIG5U5HRdBUHPS4 -mUQBCHmmuahe4IHPtQi/6NHgypW9vliDd6TFGI6jje4gk0X/0jtJipEkX9BeFTQX -D46DnUQp555g2lfDTf415ln5VfEGhkWvS7K09uQ49/NfENK+rLG6w8pWi61hCrmd -fU0NU6TQBB/ZTwprTR1irAT1NRhR/k9glMuJDON41ieS2ZYv58KcXSCMmqGkvDUr -jyK1dYOElF2LmQINBGBlop0BEADECekUKq62YGCekiH8yT7At8xXdNAv1MS0KGmo -gEBxD5xEII5wD6pL7KUhOzKZsgKIW1M11ZwzvsnMc5yJC89MmI7P5talQeoUzMPz -5Q9dBC6AOpt6Jv9hNb0ECO/FN8N3rwYFZRi8wSF1ii1+2bAUpuMaD5g/ZporDLDN -MYakM1bhptCPNYLypCJVhzwfk6lFgabw8JiHQkbhorO/NdDgSmjJk0P63YYNU2GS -J2T343rlvqGfC6rOMN3H5srg22ykDfG9UHdnfZScJLnSOioSMh+7lNBdRnhyIIvY -WSWWXJ5Q4qrXB2eWGBFBxMw+qzwC9C6FBaUunT+AxXIfEeKAaVvF044Ngc38GUQr -9SLiIHeh4RFHLlo+UBjIuobghf9llQxKBrPyt9isoftSYODjjqbiz9P2Kr7ETgDG -3WPNMaaUdsjDLaUyT4bOWgspGfH3xyhLIeFRr4vsRSMLjhhJal6ACxT2rPDfg+Y1 -5yUEdf9s3pHovWIjOow16bNEiAoQS+rxtOXLmul+Svu9WBx5Q6FLm2/rY4iB8hWL -cxHtTzzIi5el7QHapZS6lEL8vjHB4HajTiFPhcW1g1ow7WeYZQ3WfrCJc93rBsJf -80EDHUXU7I3DbhJTnZdqTJi5QPAr4STPiJB1bCB6aJy7QajdCG68PkodZF9LBHI5 -H6w0iQARAQABtChQYXRyaWNrIEFsbGFlcnQgPHBhdHJpY2thbGxhZXJ0QHBocC5u -ZXQ+iQJlBBMBCAA4FiEE8faSI4+8FmblpczUGZ+d/vb/uv0FAmBlop0CGwMFCwkI -BwIGFQoJCAsCBBYCAwECHgECF4AAIQkQGZ+d/vb/uv0WIQTx9pIjj7wWZuWlzNQZ -n53+9v+6/cLoEACbjFwLJ05NpuBLHWtUeuiGjsd4ZrOPYU7aCd105Dj9M/2PPeup -idGaf7Y4aH++I0cDfhKPUdFXOFqbl3S+mWjpumpXOIWLE/td2ztYTRFxT+9Dhd7I -rYR2nPMEoXXrrQXVxlvw3EfJuwlzrDVnUAJW2Jwm94Lds06eA068ZmFT+GKbQbEA -ULWk6h5TtCtFBqBxJKpOT22znrlL7wQMnkhL4rJTsXkgkGpAVxVUTiqI3fdEG4ul -xZTb2Vsz4AR7K1USrqKYIjanzQCs/5+a7oWXCOEinZ4u85r/Qi4gTvD/6qs7WvVr -+ds+uvTID0THzgya+0PaRugGQgJvfaCglErV/2nShgZ37tJsf79GyMiu2Elqf/Je -IqIrpQbNOMXmdUvU+pzBBq8vJNqpRK3BiOfQwEdPGjgGyrP+Nlu9BKMXqcfKcEvC -ksgn0wrhe/Gw3cV797rrWG/gNQIh7KbvnrIybHIHFzUT2K7kBQQ1ENGlM1a57G3j -1+otWV2JD1E0kbOh7vSvLCUPpq+XUxGntvLMw8XzfZj6pTRm7CnNtQrF8DiYVCIF -Omt9oLWe8auIPwPQ2B2NY0j4SotquSTG3JENqs65de814VSEhHD03m0NEHLt2Etu -PpP5gKiBgq5UpxbSzn+jD07S/CaXlvX4rsrNrKW/6R4appQnr23WvAlLS7kCDQRg -ZaKdARAAy2SZx5SO3XxEPrYViiy3S6XdDGQTroAqlo2HVHy/PTmOtFtgty684H3s -I4jS8Qc8L6poBGMkFEbZVe6NOCyVbcjtQdm+2UGEKAuoLvilec/vMNRDrOhvjCDX -Wv0MnY0JPMpgoYIBnR7VrRs02eStY7PnvMCYJBdNJ/WAsZJM/oyQitS+8O977WL0 -tKmHmtVFcZhhvnAbH0PRm8HkZek70o5Zi7Ze5uodXKRg0K58sqf8q3zjS28tbUN9 -pTIXx9PVwDx6SVgn4b/XaL4Bx7W+Cq6Go/NlAGc9iXtkZ+0iYgAi73s1hBU2TFgp -Z7ZR6hyFbZmrJ7c4c84CuhNSB+uw4Fkd5vNp6C6Zm2JRwDi5jQbDmERnXzkBtvC9 -uT9x61lfQD4pMHTx4OP9LSi4Dc4QesjunY+R7P2EbCQ9CZ/V/nAjWrD+VUyzhbGQ -+CdYvI0/G65X/39+u6jrXt2hQD0KuzhWD76RWP3NCdA+nm9xRwsX3o1UC+GFeG4N -xzlBsp1HgRsB4MkCcPy2NC3Qno6JMpUGa+w4/B+Jd2+sfOVISUikaCIp/nPGl4iO -/9giWxQwCL97KL8jLAIUvhsp7cSKWJqAJdI66kQq+glgmhZdU44d8ayfqUQkpE1a -vTgEh1KgG+d9gd07fgyc8K5X+KrUAxc+6O5TxlzJ8WC1vyhGu0EAEQEAAYkCTQQY -AQgAIBYhBPH2kiOPvBZm5aXM1Bmfnf72/7r9BQJgZaKdAhsMACEJEBmfnf72/7r9 -FiEE8faSI4+8FmblpczUGZ+d/vb/uv3HLw/9EV2+3aC3OmIpXpGXBKrb7wq4KP2Q -23WtbY0W6UBsi8vSfcISHQ+xu5UqBiC0nfFNfIAi+z2averRqu+Qg8vPbtLyPiEN -VnpkZX6wWW+apEjhjtmK/1WFccY2W7WIjOOGicq3oYQNzAr8M8j9u4nJR+zdF7F4 -CThdadwFRH7lx4QFUm0d7ZCz3u6LFysg1IFArrySDy0oJQqjx7JveV3IfD6VFyUX -pj6RZ7DyJagyrv73yKwzGbZxBQaIP2n4wOrKpgvF9gUyhek4r/CistHYr5MLJnQK -vlntL5JCDKtTzHNlJAy7/A7o6ReE1zLwVztwFqCjwzbei+8zFHcpraOUyCAPVrCG -5/mhk3230n5SZYZcyed58s5f8fbpBWm8Ke44xelcoeymDEBOqG9eiVk6PgGWN5ry -qFF8Oo8BqJ2gYzZLkfRJvyMo1w8dLYiimjT3VYfE4PKXBjbd7LK6BClqi61I1pa7 -KP/kD3h9hpefjY0GEiHEDnGKPzBroopAPRibtPPPiICfG5k4hYDLqv2SwLkOoJKW -QUFwDdoVSJFeh+SCcKfJW8n/BhtKgQpPVWtN/j2Y4WS7v32/RM1Zocl/eXBDWDVB -O0F0KZbCWanIbAW44EBN/A1omSk+7skYWVAlA94fWSLGKOtza0DaAPsZM/bbm/uH -F0FeoiYvxqngU3KZAg0EYF3kuQEQAM5x6DOFJQ74Oo+lBJNHJUTmYcT10CGl7FS8 -CbJPdvmsmg6BRekj79XMpra3jSCRx2SD+4dlswZNCDjd++2xjV4Pfa694krSsye0 -Eg2c5p/uMNFr1B0qpdbJAhs5Iz/LLIi1zqfaYULitkdo1TVDBkI8YRi3g9OBOY6I -WPo0d/JYwhTMhNhr/sSS4VxXe2Kp67wabZwaWUWBpDT3/d2EvNuWy2CB3h/UDvPv -lqgaYzLrG/AXNzdkDLWvFd0XlAKl2z669ZeSuk0mlEZknh5Hw7jYs4MkSmBEaTgs -D6O9m6dbSC0k4gqYAZ9fYhKTbxqsJHXb13FqEccp59RLxBzbNMrr8j8Gn9kxVz80 -Leizom6tAkP8p9/hqaE1oFhFYP42ft9H6K1ncc8EfbJ/SfMvRyDAa3fsZtBcapG8 -dzCagAFj2bdZlULUiZ05LpPfMytQLgBPIP+q1Szo27HJXbYLWMtG0aq7Zgx0DD6z -UbpXpDdjRKuVGrDQ1vhSDSAzApl1UJT7baoaZUnjgPt9KvsDIhmZKsLiLoigX0jS -lyllh0giaA4GeZKbA4iKfn+TQ6qDeBlZkCfZhXqqlWfdGNXP8aQWSaXfVOd4OL5p -klK+bKlu9OORof/MAvAqlxIh1VliWaVZ9amsbxRjdZzdcmrrNFiMb1gB2BkvMf7s -HvKv9VHzABEBAAG0IVNlcmdleSBQYW50ZWxlZXYgPHNlcmdleUBwaHAubmV0PokC -VwQTAQgAQQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAIZARYhBOYJE+TfIJkH -2OMNlmWal8nPKnlaBQJia7JWBQkQ7XJcAAoJEGWal8nPKnlahDYQAIJUa105MUxB -YXtymcBs0VIbMy/1198Tto5pxVqERxEy67k7k42FkyUrB5eNcmOZcmBrhfFmJ9yi -megkSKICZ3p5vWh14d+tcBqsqKD8eoIde1MUFzQAMSAh7D0SseMoKKmDe4EDG9Hy -d0JX/EOYAgN1kYzu6GSVi+2TryODMre3NjIPN6z55AqGNB1d8eCnYypX5p667Lxy -wVa8lX8MkNNcUx4PACb20Hx8yodkM6UXWOmX4VtdLc1038557wu2Nr7HmJMwwjmV -Wacel6bHrZb47bIIdR13hNfEjpp++kpeccOOxdmhmgtTWJjBW0DtcYhlMLN/NYy8 -Wxe1en7cax84UVm15diTheCgX7eb5VFQNdyTJ3fcdzZZkMh7g8phT5KPFX0af8u2 -r1fPA9v1SAuiLq4VGcmj2vjMBMp5Th7SYr2ZnLLk12Xnu0dewR36vZJqKHSS/Rtf -cvFYjxpvolak4IVZj7edVRcmrlofca2x2/9dSqT4zvrXosix0Nlstnvz1CsT2Y4S -8AOez3AiO3xcVx3//mTv84z/l/8YrT6n12/nW5Ke7Kq1fbVK0bn9j6LG7Qy4ruMr -aBKZDQfChTa7OVRe8XIhaAQf/5BSAzVCh+Wi8GOn7lzAhvsIiXSyo8OhFtpZYCq2 -CJEgV4j9RwiyzZaodRj5shlu2KlID5O/tChTZXJnZXkgUGFudGVsZWV2IDxzZXJn -ZXlAcy1wYW50ZWxlZXYucnU+iQJUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMB -Ah4BAheAFiEE5gkT5N8gmQfY4w2WZZqXyc8qeVoFAmJrslYFCRDtclwACgkQZZqX -yc8qeVp4tA//d0RikI1jFLHqK0siQydWJ91aLs57sBOogZ8g7lni5n0TQkK/QIMf -LgAxDvw0brvMrldKeCgIYd2xdTD2Hznt21dOpUqkbvAMAFIlAL6DqG7iwrru2kWW -7xlz4ga0ZzZ42NMVJyIx2UJqhxj56FZVW64R7Dsq91V8QzEkgtGTeCuGrOxejQ9p -4+qNEr+XH/BgcNbvbnkAuJsnxDfJ/2H4s50RrSofXGx1I/sbnm3WQEKgawVtPyw8 -s3MUy2rO6JOBCCxMw056LA6s9FQjDjJVA47my9nT5qCM4Z/SKSUbSF5AwLssYoUD -MogW3FWtXqFKDAe3vLZ8DlG9EFHTNkbovltSQ/T/23EXpzoexJWKEA6lfYzKl6Xm -4cOCeqrp4ZszMbjQyg6adpZwWsgI2v65ktjUV8CWvU2XizKKpcXfr6sDZ7ndBVw+ -naeW/0hH6KNa1RUg77FykAUpnk3BYRE76hCgY2Sq5btQrjHyM7x7ORiz+cLpj5wn -cCK49Lvpq+c/jv9IC9vJUsNqbLPK3yZIyyfKqCCHPqK+qpYTzXSLXTcB8UKMOiQ1 -N3S7OkJwvvhU3mkWy94jnrfFaKdsigC2A+8Ud3Xw19iCTItuTr1Xiz+HSicPykSJ -3bcTEMpco5cFnOfUHDnvP9kULHJKVQtCzn0EwVN1j1VdOpfyXalqGYu0LVNlcmdl -eSBQYW50ZWxlZXYgPHNlcmdleUBzZXJnZXlwYW50ZWxlZXYuY29tPokCVAQTAQgA -PgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBOYJE+TfIJkH2OMNlmWal8nP -KnlaBQJia7JWBQkQ7XJcAAoJEGWal8nPKnlaVEMQAJw8P8OtrR/Qdbiqq7Rlh6iu -yZGrIjb6lvW2xdTmouftVRl5vJFouS3eSr8Td6afEHYx+2fc5b1jMcNZByNzMe2Q -o+t95TzYlrXdMXm+63IdRJOf1GrMvl+3H47g5nQflyqyyfKmB2eQEDlxrYbazcOq -em2Fk/t7ZiHe88QQeDke8TsawfVzI3vcR+njEAmW0VJ0VW00OtnzEiPD2JSeeXQ9 -rpjEUq7LkCwtO/1PrKEA/zzajl9bWOqJNSkqriX8YKMplYiMGBRBpQ8N1YhI2EbS -qgr8ZQ2lH9Z9okx3JgW31sb40ZLH6DRFdg5aafc4RWBrknt/WmReByI50djgUxEZ -YYaEMNx9pYFNdVqT+IyVZus83BR67fvVbikyRloMerRGoVvORfl48JxSp44dk/Pm -quMBKQ6sOunvkPlmGjpRwwRo6YDcTzzctlAJj7OH0f2ffhRQiqVraOzumer0BvS5 -g5V7kX5OKsfeoDMiul9utqUacQPqWAtslrFTd5RO7Xcv/GBR8faOpria8MFLiD6s -GqPgnZBxtz9+OdQSKe27Yc3xAYkSmQ1IUCO5ZdDQOaOJ2XvXQPNxVnL5YxweYA15 -dnsxJde8bBRX5ELkqv8/NUBOQLAlRj5x6ZTcT/6+n6hQ4XU7G8hIooQXVAf2nriT -ITR7M8nlKxXPifOLoIT5uQINBGBd5LkBEACQOGIgEElrUeaXcwHfIMODsm9VsMAD -oGL3Dld7KbSyoh0zrbdTY79FCXPN9leyDd/hrrpmOi3W3VrEVldc3Dqn332Rm0Tn -GTXRByrrN+ZQMzrKuWZq2YIia76aVZGtbtiptrsOmBYnmbgVcZOnTw2nyc0mIgJo -bsd+Tse1kiPMyv3l99pNpeyJItp28/SjaSc/Ry8Es9ZAoxTz0AMjzGHzSabqiayd -JvLZ+W5R66BIo2grEmp2ipYJYPluvRimTdTIb2BRyglTJCYLaBRSz2DWSzJ6r/Ea -WtNwn2XtzkjaJvJ+tGtp9bITlmD++UosF9+exKQitX7RzhEWOOW15GboSKDqVWZd -s5dt9KikjK8b0hiZuBjm1Ff9oy+k55RxurH1Z+y6nUxhju2HkH9dJclAKxGDaTWc -yXseCr0xWuaQoK5fUi9YGYCKWvGUCp2V2pID7z9knFDJql0O3Dx5xXQ0gUUba0LG -h2clyXlFVlEaw7iA2NBVlboeneS2lwMuwmSk2GewfzIr2GYG97/8oF+2nNvQjXdb -tskwmjPquDnYUNs7301mYsmX03zmYI80hK+FocU4spzIWlE6e57Z6IRHw4u/8zbi -f/ae+nVJbCSG/6IzoUhPXIIWnFeNfEIhIkzWhiZMz17laPfSNkC9hyDAP0pj9MbN -JmjVb8E+K4hCJQARAQABiQI8BBgBCAAmFiEE5gkT5N8gmQfY4w2WZZqXyc8qeVoF -AmBd5LkCGwwFCQeGH1wACgkQZZqXyc8qeVrqbA//cP+RgzaeS+hcsw7wrSrn1ju5 -/dITfBnZUfIN39doqM59dAUTIrlGplgj6Zu//Ejnz5ehWV/3LedTPJREJoFFo+29 -NunLpvxjcBHDzFPnAFgNVpjTHOUeOJ0VU2cMnUwo2/CfrxXipl1fV3HMcH4+tR5k -blhWgYJLDVq7hioa5g/RW4TkB5j2k/pz+YLuxK4sAnuLORrPog2IhbuFwlxE9djY -13IJHDNJjfpQAjtlWcp6u+krV5esuGnBJtsGBLj+iH6x273ShBvfZ0lFVNln+dPX -wJHpO3G+y7msW3xDhtWRceINk++uvP2Q4KjWl7cN9c5vahEyUXehnqH4yE0Lchm9 -VMRjRYrrYjkat964Z0wG9wj4EWlD6mu/ttlU5T+NmVAvoMR9DZPZ41zbGJg/V0rC -iofqFxvyPc6J2zzzE98vF4wg9kGAIvLHBEkhbwKFKH9H2+j0/4c2YWS3tMvL4BVC -blBX+CZ2/AmdNLe0Ow9QEDtZfakyxhtAQPNbJB2uZICCkbDmdoerP6FyMYrpWxhb -9sfkVB44p9Q8TgRU+khxeNAT/8nOsnywmQ8hMPgjxwisyjYNJ6yys4O+QOii0LnA -LAPaPMrNvBWMZOC2botZMhqZLRSyEAcOT22d13GA8PzJ4XNdtBEkLuwGgVwtwFEm -sXq6uUQGCaZajgBsi1iZAg0EYIdBNgEQALohT1pcSlW4sk0DNfAvur1W3U+TEkev -uQnKdSD/chKs50nLYRuiVrsZsR28tnr2j41uwvm+Y6ZPYAPSkQZ8yAT0pYnXbaIR -83iGtZOHP6wdxV39Mpf0T3yD4dOmgka1hynqNjEbRhE/t2fXNKf0JrBUmkyyhLYb -QlkH+raUgQug9EsyOJxEMER9qZM+Le/JiK5/i+8JxhjPcAQxiKu3l/usGtU6zcVU -GjMSqs3Z89Fa8WBOeGxDwwSKrn8MyyfEWrbCCF4Ao8gBeFmIkWgoeyumIAA0SYZk -FjaltbTmsFjVmYmmLXIKtKTnzZx0+jYJr42s0Q8n2ymgSKcC0Cmn+iuKslhuMpWJ -aqaHuZhjK/80BArAYETW6ne1IZWPSsobd/2x4u9iwCkd/SWERA3/KnML6lgOVJfN -bFxDxuJ+LFvpe6VoSAHlc4fC6+lMroeg011kzjgWX4H94Bdp5svpWHQ/UQ3/YMGv -gUY1vy+Vd28bGzuslsnz5o2Zh40h2Dmpti5s2w7Z9TvLD2RMM1N6PrdCXVrQx3bB -9nN7x1nLosn+0v/8gfck93SO9PXLQtUgqhhWsh+/TrOiVWmWqLvbN95zWSnDRVHp -1P8vKEGXI26aokxEd1mVfilQKnHv2k6ieMc1M26GM48uXNqLSihYG2WgNl80agVF -U00m/+Ea9Uz7ABEBAAG0G0JlbiBSYW1zZXkgPHJhbXNleUBwaHAubmV0PokCVAQT -AQgAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBDm2QTQ9jBBLKxRtw/nD -ncC5aYVEBQJihlmDBQkInT24AAoJEPnDncC5aYVE9GUP/R/QmyOxYIXhjOJGkF7w -sKznajRWu00xRbbTofNroJcjcActcdd4KZjBTQukQLe+ywDq9q0yGs8qdvNVdoRE -nwkK7sfIc/umJhTmWdboljw07x+NPzn71xLsi8xDT113KlSegPSL6tfkSDqnv4Kr -HQJb4HYJex9whcnzW/KR015biH6DifHQfTRw4XqhecneiNCfdaNMTRb1DP4USrJA -FIlIK8zwguJP0iYnKSeInWBAHgroUcrLucUAdBfoQdARHQonlklQ2y1qxh1m4qit -H0MeUK6zXoTYAEgVMYJIN26gFaMoBRd19/1WH8p2h2IcecsaCFBPWpI1jbvz9h87 -6cLC6N9hhZPZFfsZ4BBe4Iw53eEhlgBdm5aa6SRobthKI8q89DoKuw5ok/tEK/WY -9QFzkTDhiQHdyfubopjVVpakaNYmJMF6SNlu7BfLv5yc/pHr7z5BA64WKUd4AJKW -EtN7nu2LAl4jthv23UnJ8x1y0e/ZM1m5r9/leRQz4uFqXEBa8Y0/Ipp8OBnQWNaj -mOHqO44E4/BOXr09FYm12iC5L2V8TxL6HgU+nLRetgssFIWRr9NXhelITdfKOii6 -qrbLP6uQrjFXnLnLqgKB72gSXCYdHLEnwtskkqKXtB4jzYm2OPh0TstfNRdjaS3w -epurzSp4UmP42igZx4cGzNp8uQINBGCHQTYBEADY0/Oat2b8EDcNSKPJNdyrQlDQ -+N2fyTbq1XPThTe5f3nRT1jepYqfsi/i4/6rza2AMvyxPO7AQSsHYlBYHxccqCH2 -Q90jCTu7iUJyU65Kx3aZC3U7VE4+jl81W5/b5qqjvZNRxLgDZDnvO7hBFh7b+jj7 -x1ABsHdwq+zXjmg2mJCBsD4ba5jQaPr+nirvhr/Y744mGpaVWRlg7d/LhL73GRy5 -46DgCVejgd56vMsi2HBy2BKtjxIr2nd2yJn12+A5yenuagOVpye8F5Dy7ULFJ6iY -e1/NpoVnyipv3m0hE4C0x1vIw8tiXR85cb0aGuYgjOgEyLCE9INmMQ0ZZd1JqZwK -2IyWiy0nDNVJXqkzc3YjYZcrYiBb8dV7kvAf0E+UniIYTYtBU2rOWBM3aTT47Jh6 -ftss/tQ4e0HLeHZpvpWwJtkPHb1jGD/08icZH4XyVxIlEMhziuAZdBDTr7v7xSmq -Prw49afWiXfROV01j94tFdvF48wDOIb3qIBBbsNddqMvHPTShq2wMHlnylVFM/0C -Jn/yxezBcuQfRVWeHg7lbzSt0HD29fBz7MlxoOSesmJCN+swoSy4nZ1nhWNHEaRh -32Vn2H2q4ya0rZFEHk2fS6WWBMTh7cjinmklQVxAhB99d+EYCZ4SHu74Ats4LvAs -dJwe5I9blOIrYecwNwARAQABiQI8BBgBCAAmAhsMFiEEObZBND2MEEsrFG3D+cOd -wLlphUQFAmKGWbwFCQidq28ACgkQ+cOdwLlphURJshAAkIdJ2xM7MV8PGs+eN2O0 -/BYpiCfOOc42fwAiqYQzr9WT3FtB6oSh6ybaN+RRgIke1WC9HxIvjxXWatJnbs1U -3iyjBmyHvMBxOCxsIm7hyyLI/QB7wB7sdRb4ZeObUeyXOoAKWilj3r2vOTuC+K9+ -W+uW5Hj2H2tnUKOva9F8RjokSkMiCpCVoGT1YWsWwKALcnQBio/GCyzARTCQ2uXH -pHyAOdNrohJBJWD2qT30Fk/jnOGCbw0FVb+eX5854zosi8xPWFUHrUmzQzFwoeq1 -ysg95Fp5LwCtorI0ilZlCngFL1ij0OA7IkpZWZfCRYrne26JeMmTXSA9CEy8U8Yh -h8Z36JPoiff9sE08Dd3vmZAxhijjp0p7H0YpCu5qCG6ACIUKgoqwHV7bjkQ6+Znq -s02Qi8wG+gMVOE6gmiw/SpIHE8EJMrtp3AOqC8hWdnqtJ8Mv1aTlfkLn7fXmeWy0 -Q+uzJXLAqnB3hZINXT5lI1jxjjydU7YlQiPHKGnJ/biBq+EwMcVQ3UirtjK2RvnF -IdqcoChlufsPyEo99VrB6yL+tEbxbSgNOwTNWEuVZ03LVPH+Wr1sjp/Ao/TexcLJ -uPgvjVkHxqMNnJL2kUnMvYnexp1vmocSL/bqr0Ghg5kqMl+rq/hwl/6JliC5ruBI -p41Fg7D0Hwt0DeJiahaJT/6ZAg0EWPFG2gEQAORLr5Dtp/BgM8Weole7IXZki9fK -wMGumv/Fut7iNV6IL8cgQtpB504mo7VX4GCdNGR+Giv5ireZnW6f7rMkiIVybkqn -uw9mOHXkkX3o+wDh7YSHl4J4nONcePWcApd+fn4KClgTIvfSvX8AKSaj1MoiJTEg -NlGRm/GNjhQp6j4SgmjRWK61Xya9JODFrP2DM+Fnk4lHzMQJPyPdPx360EPzBbHG -YZnS94678wF7DUL8EOvxGpMJcPLBRvI25Kx1vdrlou4i4t6RIlVIJwXA8iN7Vatf -gXILjb56U6nRJemNbN1vTw1dfgMRjzNXJVcjVJxKlNuyV99wWRjrQ0mGOk/u3zno -v29MtF8cgz0Eh1Jgf9qvmYRDS/IluI1+THm0gycSachhuaeOOZw9kMpng/JARQRY -XcOo044BaGT0dQwUSQA2R3W8Rw01DGAPZ44kzp6B9S/0q24ARxFfaIO7eAjIT7nn -H3ZVWgQkO7kz5Do9gZQgyHufPaBLeWeWkba+q5CmoNL1SiCxnwvg2y6R0/aLFEWc -P2ppM56apFjAim05frC+u1Hs+ZY6edFnk5ykrn+rIr2IItjttscNWIGhXS4sQc09 -MMeOsAsmupL50fWCViJ3/zY68oTcpESNGkw5bzec19ByqQyL1+EfxZSTPo4Pol6a -8H+z8LAFLbDf70sBABEBAAG0HlNhcmEgR29sZW1vbiA8cG9sbGl0YUBwaHAubmV0 -PokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlj9M54FCQ00 -VS0ACgkQ29s5dHDRIXLXFg/+NB42/hZQ8rczQeXcS8Sc544PF4/KxTSSG+CfD+ZG -1C7sE7BF1sHQda/wrHQdcvtcjiXabIdFlt30+sGUbhgViNmpaapD1YaUsHEOlIk1 -5E6lOAqOHEDaE6XXEfYS3mRtFxnOkkn3O4PeuqSrzRLe79QAH9DNh8lYqdAFNeL/ -emxk0BVNGnf/iwSfWQJ8SeU1Rg+KH82p1cTR+uUp4hM4CZq0PZyNhwmVz8RMuKXx -KrWciCIT/74plqVtxdxFIdVlJ38v582UwMiHqT2mNwTnraiLLIwcp53+kBfujUGq -UqpLDGNCg2ySkgJUWTIy/4/twg/I7ElryRobLIc0P7yLUbO/Bw+Eth45YPCaJcGz -gRrxnspbGGLX3OXEysR8Bx8UiiZxGjF/NydJjcVUlgigTJIr8gGKK+p66fJ4MDYk -bW8tJkhXmE2JxSKGniGeFfhnWASU34Lrw/j1Jmx4XPG/PAyrlEhRtZXAiHb5aPnX -9StQuCgzio2SB6MMtgXJPFst9er5OT3VRd2l6kEe8T0oVWqHgxsiXLH1MDM6LOot -1mWc9HAtvetYEuy/tdsJN5i2niNVTxDfmGe8YXL4axJE4m/TiYlb7CHLP7PE4Qw+ -JVtUDm6bdltKPmii7zsz0uIm2tQ6o1/LKp10sLwvkuDDCVgqo/5bpDgsx/9aGiPc -UUKZAg0EWSVi6QEQAL20JKOeg2ze5w4D1E98py4rzskP2N163ZRSzDgMd38fCau3 -dPtYqgfUbBGn657n6/Nep0VFniAb7u2C9Sw601vmuHbZtMGxQh4ay+b+iYme1cIV -CFhx+O2TTineq2Ank8aNlqEJFiDhpDa0anYxvxq4W4U+we04ctZAIvu9BKGw32YS -QTMBBmef1Bgv4i9NBVIqxHLxdwdhlWTa5PbFBjYu+QC5xYXROuNTYsnYgV16lzT6 -PPXFqwFHRp9P1hxwelAfnDzI5b72j+fsGIwd+BPSwEx0oJ8pWhCtB7QKwWepz/5X -g2yceTJStt8qIgWb4066kgykvr8D4iTLlimMghQc+5UvpUBjrCbjrdYjwU+T420Z -6Sb2OohLGKuRhawgShm0KvJwLw3SJRsarx4th0L17BTl1qAJ0sbCcO9iM6/MfXno -tOIT9K+urarSQEMBrsJMZGVP7ayAPz2iXvdC0BVQmy332VUcyYgvVxXgdSm86VMk -dF2w3pWGU+vDq577a+ZiwXzptieLq8wfoomeaJZrXCKNg7TCJKmG1NcBrQcT8dNX -6FJv1sJFvKKnB2qQR5qPywpzH35fI3FU6VR+jylBmctFN3rUW+P6xJNIRuj3lrmC -LRYOfI22Jp8oS8vFqXtXJq1sBwIRwsNgBUd980uDh+bgffkc3RhClS35K5XBABEB -AAG0GlJlbWkgQ29sbGV0IDxyZW1pQHBocC5uZXQ+iQI+BBMBAgAoBQJZJWLpAhsD -BQkNKGiABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDcn/jT7lryf04lD/0e -25ngEw8wMUZU9Rn0M/R3vgMX9BxPRXXTVOt0hn3ZHi6nnoO/jR2ONBlzZb0Gak9U -Wv+/qp2Nql08fm++Zq2dAPP+cg5+jWLA9YbO+YqdsMFDiolfsl3o90P9iitwP7S0 -5A0osgYT1kVCdLzSLP2JpMbO9AoRAoQy6BBJ/eQbc0EQaopAGxNOsFA5QneDzDqJ -3b+om2sNFsv1O4JTvsOnH0dQCeOP8jGW93hFANr8EJjMZgmULJOxpVbepzsMiH+l -Fp2q2zCCFIRO2XpJKj3Ie2hg4ZPFc7pSKQsQTyaI6Vo49CsL2EIP4tIZzlCE0sEQ -p6zSXv3D2TD2pn1d+HinD+F/U3g7eQ8fJSDSr1BpfVcq2KCNNRyl1/Yqrwu2UHrS -njR5kTZ1XdPXVf6tyffekVJcx5Ml5o0odeh4Zy9r+DJlW2+LyImGq3D1A5STFEO8 -YH4URQh3dnXIC7tkDPqqJQKDEr9Unr+QFv5hhHwrgUcuY053kqiJN6spC7jbe64x -iVh8EelVn1i4QlCdMSmLMUR46BqLHHlEMueg+x3/Hn1VL15poqi1M9tb+sSntK9s -qPR1HlYx8bJ384mtxZVnLz8qHkxz/go4cP4kYCnRsTXXdOQQShNnyA0cV0t2/nZX -15dSR5PkjHJOFkGRTLqlqUMzwDm9p/oR63zE4vL1cZkCDQRc/6jxARAA6399os7L -WW0t8VwhEmjSj+1L14Ryh81QPEM15P1DrUXagxeLu7FGmecm7r3/0CA3m6szhpIv -9qZ8ifk1KZPYkKQUeFxJvfrtRfcfDew1Ynp4ansl4+jARv06GdOwkG7EiyVktSPy -f0hGqLayeQhmqDl2cxPJuPO8JOSDISgk33rU94/QBWA2RRLSJtB3MZupY9Z6RvYM -swyRbcYKWQlqZ09iZ4IDqeeOpl/YuIWECl/99bpEEoqFD9tNlpaY+mDy2ihT6RWe -+4uefbSWfFEjxpGd+x1ccCKKqViYggEl0bw+S60RaS+5xEOG9wnuRrVRnVe9EbTY -w2+xMdDsBaFl0qvLPY/66BfeD+iZpA/dN2BrsOLLWk7CJ9yCgoHxL185GMLbQNy6 -87bCeVUGDIBF56OKzGBA7bJiW6Z+XVkVX16li908TBnLy6DItYIqYFmSgGCAYviA -msq1v/dVOddpdAzDW4RfH5FrBNopYM92FswF8NtDN+VstwWAUQA2IDX3fYwPimIV -+xG8ebgVALy7nWkAdsFGPoZkUJa+x5Ln8WUOF37kMbNthd/uBelyeDZ2MU6/Eb+z -54GOWijnw2l7bnlTysatJ88l0dezmN0OQ8Yn3SaDjMKNVs+kifqVlAhSip3/eIA4 -/3P3Bp/RWtakzN9nV/fUVWgc6hu6FzM6ozcAEQEAAbQlRGVyaWNrIFJldGhhbnMg -PGdwZ0BkZXJpY2tyZXRoYW5zLm5sPokCVAQTAQoAPhYhBFpSiAeB91Vgi/gV/JEN -60b1PqMSBQJc/6l5AhsDBQkSzAMABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ -EJEN60b1PqMSNQUP/2me0vxABXrqn9uUr/09Cz+HWio7W3b901alD1amIKS4W8cK -s1vNe5qHEQKH5Nd/LlYKuyKuagKWKrfLG7dguNAEVCya3zUqFiT71yh7BD8SvvUU -TqgpTet4fHW8sr+rIYgvrXUVPrb4U5DvzVfMOBBO1QBFM1ZS6J7A8EeVmmyysYc3 -6CPoYb/CB6yMe7G1pnE9tqooA4hiHwfrb3t9TeSzKIbKTcuHtGgaxIosp/e3/eFZ -Ui0zPVAQKLBA1rnUHejVb9cARZQSIFpLBbUaGGBJSjNualoQOWPnHCuTy9yF6++B -4ToLWLB5r9nQu70cdod21tLtp2BMpryKikpN6OIq5Kpj62uAGDu5b/lhhbQV5tp5 -gxabhIyfoCnLC6JMHwVsppIG1XsDtcM4IaFl3bl5Ol0+G0vuNru21e9ydGMHR153 -hPl5fszWCkWQhHXw728+vIZX4KI3uLbpJLDHWY8QGrwGpqPMcqObcepkskejpKZX -2JtycoiOlntuMWfLLmL7S+OmYnFkOy8G0TctD45wLlfWtJDzRr2p7TDYcQ3oHf0O -QMHAQ4qUJXLYyxlPja4PWiMVx5I9hLtXfJ4krKK/FJQDccFegBR8vhQVoQ0WFot/ -Vzo1qu488f0w0tAJDf16+w8WFhYnIbwfndGMgfu/nkAZ/NAkD/bAul9NGKBctCVE -ZXJpY2sgUmV0aGFucyAoUEhQKSA8ZGVyaWNrQHBocC5uZXQ+iQJUBBMBCgA+FiEE -WlKIB4H3VWCL+BX8kQ3rRvU+oxIFAlz/qWkCGwMFCRLMAwAFCwkIBwIGFQoJCAsC -BBYCAwECHgECF4AACgkQkQ3rRvU+oxJxzhAAx8TGL+IaTYEzEICUk2wBTISoSMuo -F5eZU4x3ZviA6yWG1OLn98uLeCGjGCMFp1/OFGZfCe/QAVj7/eBZzPnvVj7JkUrP -t4EpU0XOpVan9cVh9Yzds62HQ19WRJOnMYO7xzZcempmUsZ5oAGivRsJ42UhvHi4 -09T/ZpRdyOtiWXmdBXIRK9G3OuLBhchvFIhAbjfYbFD+gVzdGThU6xHXAfnLoFuy -zYIpXzgrDYdmfkskLmTd4meKoFVwcBnPWXxUJz1HNxPCI/dY8DUmWjqnb4qBU+Jn -Lq16UmvEG2TdxpKivcoJH5laIVnAEa2A3answ7WU5yF7n5b9PH9xFsPJpcUc7+rc -2F3D6eY8WY+tSSzyKxuRYF7hFeRifwSSjOMDp50kgUR2f/5gGRD8rDSKTtGq9pVD -XtIPt2xEnY/SH6O8Mmusmk8/bS61t6HPjEZBGOO9LrYbVBcHCZAHRzWuFTIadyh+ -q330fXlCYHaHAZiN55TEDocj1XxlhiLcyRGwDtMnc2IOjJUjyxAXwFwVqVOGCFto -p33tj4TCKmMD+NSeLWmCmDLj81t4r9+O2A2A8AhEMBCC7m9N6DlDdGMeOyzdDTUT -p9cdbnLRc2qJNk8Q3C4/FI82SoJtOE0buvA9Jfz5GEU+V/ZEuMj+YYRCz6t3iFIS -CjxWlUTIH5Gw5A20KERlcmljayBSZXRoYW5zIDxkZXJpY2tAZGVyaWNrcmV0aGFu -cy5ubD6JAlQEEwEKAD4WIQRaUogHgfdVYIv4FfyRDetG9T6jEgUCXP+o8QIbAwUJ -EswDAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCRDetG9T6jEo2yD/9PNspN -KjiGq0u7CBxY4XrFXYNzGVUJUQxnCZk5o+K1zpU5VCV8XjXBrehwSe/17hAakl+5 -j+qFt/prORPHdXPyKyI+SM/Omuc+1AjOU3OPApwrpX0AsYMdDi5BtpXiJ8RGBNEs -KJN+hCikpNkUXVlbluvcytCX/je4TbnJdRFFSJCdP1YXAzrVbXCVFWgTU5g5SwPE -pDxs9Qzvgg35PG/U5QiFSTCNCokT1Hdf+S2a+h5nxSnqm2Vn80NyNBy9y4kBBCkU -18NzR96cWxiccshR8qS+7Tg1EIBFFnheZkR2MQukfxCHliX40pGipyHE5Kf8huYg -NRiHsfdYIfzYQx8lfvwRNq38QrMihIfcBZfl6z096J6Aj6XiA5VqcKDdD0gVw77K -CkRyzBtGt6kSqStF9JYE9RjBb375qPsvCVhW/alpScnRtJzVytDT9xeqe5F0V6/G -hNvnlgBo3I2p+33gDb5TQOFwoidV46lXlAYo0sAbXJPw9ZZrHE661HQ9T5CLtJ+c -adITX3638Sc6XcsdbD+upU2V1piQ9gUvgCNdYGjcYMXTfe4l7x+6pthE0lb7u+q/ -nyzTozez0xoCWygMJlETQXKns6EnhMi3phAuUnhso3fWAvwtOgHW9QaL+rx5npad -3wGyRo9xqTmrE/El8FgALXY2XfggH/zQhIwNIbQxRGVyaWNrIFJldGhhbnMgKEdp -dEh1YikgPGdpdGh1YkBkZXJpY2tyZXRoYW5zLm5sPokCVAQTAQoAPhYhBFpSiAeB -91Vgi/gV/JEN60b1PqMSBQJc/6lWAhsDBQkSzAMABQsJCAcCBhUKCQgLAgQWAgMB -Ah4BAheAAAoJEJEN60b1PqMSjWUQALGWNAhYnuTTAIoKtwPsDab6kJV3TcBaiD5e -zXXYX1WFEKMuLenYkCIzRuWOFkZR8Rr8iJj7viCPWV5bniicsKNq4Af8YIXq8Qna -m30gSkHo+jGpzZYnDdFDajYax7wVKMxUmPsC6RhfEk0JAFXhoqrFOrsuUw+bBC4L -OvFzdufmS8klJq4krpYf1kp5CW6/DL38YRrmhq5djyiuA8iJPtylxcR+tXSmyGtg -ltCiHS4EdOOyG0hOsfkHPqIKd5Tb7J+pMGimCp/9YV1NINbFpWIG3pF6sopMLU5Y -Hh0Wq7SgfDVmkuPxUaEChTVzS9y6k3DwhW7ZRpcSx9hDRwaHFw/eTuSdNH/7CpXK -r0o/+zuvq+gpAHbPH1GfikoNB87lSdfUdM95QTveQjS+6IFbQR/5pCEAraZ97EP0 -2A2o45nn2bV/gOvZRqqPuJZQ8rJ0ryqfxRWj/cRKrtt+k/n0dKQXJt/0g5s+IVgI -HHoe5htzsXyjvxfpSL+vut8Yftr8lyCzGqFUZaX5zpsgwpy4FMf93ttPYiQuG/pV -D4dSxc347xL03rB+0F6YIv6SDKuA9Yy9bj2xRuJb5WmAlb67qwE7urGvgAkMXs3d -eVMWJ1oH5KB1t15mOU3Gund/q3WO21GQj7leALl4cV+oDXI+3z1idIMEWQWaoY2p -T7PnUw5ruQINBFz/qPEBEACwWHa7KtEtx2KKghel9yLwLx44LRnuKWLjGNrHqjIy -6RSWBcOKVUnewtlzr8ugAAE3qMXtGd3vCLpEtqDJ4RghBrV9YVLArr9ba4clmSgr -1iDKZE4xjR71rkwEcrQA9IqafaOQmTzj/MJoErYONat57CfArQs+Sd4SYJyLTZ+6 -HdSZVyM5tDooookToZaq/FHQ1gKtQVuIkM7229JaVo+4xQn8N+nQCsKvbl/9ATxX -oxzsf2UxDsOOW+Mi9qAmSDdDpGIsWkFmvZnRPPnLXRkQiCcq703Zt/A5ake4JPLV -3ZVvvzhvA37Qz8YE8Pud+jTLbvZ6eKh/X3XYkUGjtbDUPfY61HTbiLKcDYmEbtD9 -bPa9gePhNPXVcpVKd+r9UQJA+Oskt5zbNnOx1JCNIHKJ8s2ll62G4BcS76BnPSzC -tGuDnW01xPj8Q5qEHwBcpKvWj4sRx6DSxhieeMm3FZ2ScCarz2vNY3smDJSc2lOW -YlFgQwwzqAsxqA7Lb5VmYuSRKKEWB8XnQ2rcoAaUuCm8qU/zfa/yn97eZa9VKMMX -9X7tcMAuYRD0fEmS9zjeX64h/+tZdQnUq2Jtthz4qInNs/lSSYhCTC5H9FZ9hFe5 -X7LiYnTws5o6TXejtXxItaYF/4Ltdsq/bT5gI/PNqP++iTQFjLDUUoG5S3U8/631 -+QARAQABiQI8BBgBCgAmFiEEWlKIB4H3VWCL+BX8kQ3rRvU+oxIFAlz/qPECGwwF -CRLMAwAACgkQkQ3rRvU+oxIWmg/8CHGV74oqKrNf0ruUaHWfm1Lk++/CAp6uSZeM -OkJST/4Nl5f2O3aPA7XVk4davvHA3IrS053LM7xUUb0FnarKMlKg//3f6Jtvaveg -e6zfG3qj/s6fS/8EgoZkS3sywGHYzy299sgZKx7eF/pkVj/olgDQ/MpkM5scpDhY -1rHjvhcR8sLM8O5DkOfyTaEiRuphMRF9G21pu3kIPf4C/4tMN0TmNBzd+9L6n4iQ -ooVsxzAohjlIQl6DjnGM5U7Io3ufQqCuGOhJNdMPbuaH/ZtLxhnru1kZiHToPoGR -DAW8YdjBnYIljW73RKPgMpkIiL56DXSsb87qKBLZ3aBkjZO2NxT3GUPbCAYQ/b5J -Q0Oeu2wbfYDZ8lr+rATED/9Z6mrmPPgmVg+EmXpX3byBlfLvWuknZQgEFyZEiQUN -WsPX1ML+VXUS9VkHYngZ6PDSPREP+rN/XwsNaCKg76Dx3Vcxq+0Nj9c6qEPoiC4e -QGa7iSc7ylHsYlQ9qLrwSBXmOoGSnFkpToyEi33SA2FqZqLIvG1+z7sqiTiWbTdj -Z8GShAwZDDnsbNUxue9YiYFNUwEkJhcxkApawGhNtWkbDtTrvRRAHZ58CMDMRvpa -KfGcpF+RlyRumTlEChpi+vNX3Uyor2raD12YolIUGbjVdj3vYRkwdvoQ3cZJpZZL -HyT9nDWZAg0EWxcHQgEQAJrYyC/KKIzplzkKtuc6jCpUT2LMovFvUHp+OdCMN+K1 -SgveBhxsHgK10fx9Ki1Uvo2WjhUAw1reQk/g06wiusJW0bZ2W5rKQKUPJH2JLEJc -VdJAVdq2vGTdsVNkvia8O0XXzN0tGb2juyjX1HPXUJ5jRBsiPrppeK6+NEizQmj4 -WYBF6wfsEalJdQ8g7nSR4p9sHdotI+6ug6hxStcjK/wwFLRqpYwZQLDbRJVVMDAX -IVLmmg8CP4VarIsF+PEv9ioCEaT2yynFVYShmbU2XmUJSlatXaHhS3/C6IkKtOWZ -dU2Z2Yg0OyAUssikXYDV8bNOdlSq+0gz+xwmglKGYwMxs1S+CtSnSwbuwmLvN2VM -RWDCN4CLYRezmkNW03U2OXRxrME6qlk82VNcLjpJnc1AVWBF/Wi4K+sG32e+uoTa -7vZD4p5YmfgMRwe3sa6KCNgbufin5idIttHB/ZOZdyIMvxMqEBkjgCOHArLDFLMe -Me364uBt7c2MLCPH6+v584RdrOz+Yl8AvKg3+izX6lwXE2VrC/6fkXlW7Z0+gES8 -YmNd++si5JOjDGqQhJ6h/r9uZVGLYk1LpgExgHxGhG1WXISIrGBd0kqFdkHYAIgT -Z929grdv4tFpz4+rSBxTBlwdPCKselkX3b0S5hSqAGsyFL/UT+l7h5vlLvTJe6W5 -ABEBAAG0IUNocmlzdG9waCBNLiBCZWNrZXIgPGNtYkBwaHAubmV0PokCVAQTAQgA -PhYhBMuvafFzoP6ktTf0cNZslZMRi8y2BQJbFwdCAhsDBQkHhM4ABQsJCAcDBRUK -CQgLBRYCAwEAAh4BAheAAAoJENZslZMRi8y2o4MP/14vXeLNCNNtnhpbknRUVXrO -RcKZsDTyTHLx4BJvae9DsB0GlzGI4xlkWFXRW9o1/3xG/sHpg1hQ2o5qAKPN8IAJ -BRm+O/cbyYxX5Jowy1l+vipt93ZS9h+L2nEWk+hBT6hnf23u5po5JKPCEWgAqZxC -nFivP5/STND9CZ5fXlTMXGYRmehI/uGQ1k8qXMLVCG75mMxIbtXVnl0NIoq/mnT8 -kNWs2y17EKrbhX6tKVdOzsQISZ1CN0+SJeYrfCjvlVnCFQS/wG3OfmfsXIMtXR02 -sLffhai54jIM/DndaGrsNxayGqScMVMnhkU8Tk1M92fwph3JaMlT7mik+fndWkQZ -tKAuu9j7CNmFhd19UKPbx+FpLIEccYyn0jh0Rngc8Js3ZhIAjaCNpSjJTIuWcNwR -dks0hHSuvsK32C+YpakF1G7OWWFSSy/p7VGXNR6R/sZgn7oC0qd954BGyaMhxmM7 -fezhcFYCSNG5D+jG2Ri5KtcFJcuw4tKXDxT1wg0pmk0tLH+ZNPw307Wdzrjqpz5T -rYzLTiycxbl+uo4btKe742rluSXVaqx5bVpx6o1i42lGevCjq/n6oBbM78n8gTc4 -vPrdPjRYONviTplNipLol47hrPG2yakoe0PqYKFLm7CzHbL64a3ZCK9K/XWth8OU -JbDUGWRHnVZ5tpxQqYR2mQMuBE9mqaARCACFSqcGmNunkjQQu3X+yXnTmFeEkvM4 -JXZTOBdR8aEevNGmmFEfyvjaDjWi9hcwp4E/lYtC+P7VsVjM1OSX9eq0jC/lGL0Z -yRXek+mNy0n5H1NSuTpf9Y18LMqhc4G+RU+LcNiZ9K0DJuOOvNLPxW7OHZguxb3w -dKPXNVa2jyRfJAKm2uaJJMT1mTmFT9a0Q8SKr+mUrrJkuG0H2o6SzrKt8Wwoint1 -eh67zVsJaJtQFchnEZnlawIcqP2yC4nLGR3MkubowxoEBYCZet18aHVVRbvpG2Qt -ob8Lu5xrsGbmXymTkHTdpvkfcJFADa8MzOL90zOxXwbGfbIZOlh5En8jAQCXlfnx -2eQL3BSW/6XANa51dbWiEp1d1BAkpGKtZvlk0Qf+M9WAi+9aXMe3xP5krxtgnRNU -f2WN6Zdy2MxL1RRJCFbytLhl0ronC49BsGYVGshdEH8xhBbiIOJKuVZ/DTl9bEm7 -P9c7CC7iJyVCkhUAhouH6xzZQNLR+RU+QebYzXypVfl99Qk7EdMmr/WAZCHLuvan -yqepC5EBsa3VnAfQemSNoBeGBKWWLiOsPjvS72+y1z4RUMAfXHn4l/sFMt8zt7/7 -4AmJPwZquV41p4mPO12V4+xPyc6RsB84sfsk2QVivU8w8AkvGQeYjXoz7Iwao95+ -fWteVzZ36KRQvUckP8pGjHlDXnHxJ0HI1I/kOBZSjwRwUf0dd73y6erPhbLk+gf+ -NdI3H9KGJBzG5/rVyWKwUeQ9d5ud4jTJRkQGvAP5pg76vEa9dogbpe4W5Z+0Bfbi -JSnQmQWSHiZddj/t33ptbup44Ck6ZTgdlmFYMLF1hR47PIZTDKEREuKYGci/vq8s -nZvEJP9YCw/TtiHcMdrMKcY/+Lp8lQO0GHLPB9glVhnC0db6l1Xpg1CMI8/RozBM -cij30EgATggC/y2zbiqAFoS9FN9nXPbe4phStqABEyeZ+nXudt7PUYTjVgcrqo8b -HZCisBobWC7OnKyUzxVxzUeuPkIfmZuzkLaMw2McQdvwwsNvQ0DzaLP30c1Xsm/7 -EIYJcOWpzlVJ5QrdmE0/BbQyU3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8 -c21hbHlzaGV2QGdtYWlsLmNvbT6IegQTEQgAIgUCT2aqtAIbAwYLCQgHAwIGFQgC -CQoLBBYCAwECHgECF4AACgkQL3lWvF2gS12XMwD9HuRIolSwIK77u8EY461y2u6s -bX36n5/uo/LDQuxoi3sA/0MvpnvzOhv9IufvvsZEj3E7i3h+iD5648YMwfTFCij+ -tCtTdGFuaXNsYXYgTWFseXNoZXYgKFBIUCBrZXkpIDxzdGFzQHBocC5uZXQ+iHoE -ExEIACIFAk9mqaACGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEC95Vrxd -oEtdhdsA/1qQb5RZbh6PlIVeHCFFC3fMvy56wJ1KC0knhphyZdcGAP9bQFhWGbxy -lFn7xmnbJ2bpa+0YfzRWwbgmeISoZItQ1bQ1U3RhbmlzbGF2IE1hbHlzaGV2IChQ -SFAga2V5KSA8c21hbHlzaGV2QHN1Z2FyY3JtLmNvbT6IegQTEQgAIgUCT2aqnQIb -AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lWvF2gS11roQD/S/f3M7Yg -ChaM8SAt79iAPvLieplUBgYguOJjHc16QA0A/Am0mjKmNq3W5P0uA/vB+liCEcML -dcZiOIsNI44eHj5PuQINBE9mqaAQCADfZPMpjZkkGZj3BY/7ApoLq4mwqzbh+CpL -XwNn20tFNvSXfb8RdeXvVEb7Scx+W9qYpiaun2iXJgCVH8fgpZpR856ulT1q6uCG -++CXubEvip/eJkZl93/84h04KQJwsgOrAh0Om3OePRn8Pr+++0LNS0EL8uX/YHeT -OGOnnmTqYTeySBVFdov6L4mepddfjekicKQqhL7mZh/xuq29JijT0uNNX8v4vDWQ -Du5dlAcdd+uB3gcXMD/PginD11zp+6wtrWCm/+yBqpvDwXQX5PGUnwvbRfl7Ay3M -mwmoXiecZMg0dwTSc7e0lhB4HGRHZdBMJB4rHUVGdzqujK/ctOvrAAMFB/0Utb76 -Qe6sCMlHxVAmeE/fbo7Pi05btZ/x01r67dHfaMSP0riCKJ7M0OW+jAXtu9+z/BVn -YisW67WWfxl2cS5tZDgiHgJARXWUOO72+sScHP8KQmTl1z16gyKbwY3SmyBkwcpO -L35nhUWNLy93syPoY6sZUTikr2bZYukHDQ33XBPs4e6MbWKfsa9qaVmnlOF3k5Uq -ChjutfHaEa4Q7VP4wBIpphHBi9MI16oJIzzBPbGl2uoedjwiZ6QeQZnSuOVYZxU2 -d3lRA8PrtfFN1VSlpEm/VcAvtieHUYWHN0wOu+cp3Slr5XJVNjTjJhl28SlinMME -54mKAGf2Ldr/dRwXiGEEGBEIAAkFAk9mqaACGwwACgkQL3lWvF2gS126EQD/VVd3 -FgjLKglClRQPzdfU847tqDK4zJjbmRv5vLLwoE0A+wbrQs7jVGU3NrS0AIl5vUme -wpp2BKzSkepy23nWmejwmQENBFhJm64BCAC/9u6NdeqwFuJT5TNbKVrlVnmHihg9 -6XSYGwl8UPiiYuO3JxXZaduBw0955FOc6X2cAoOJrRYv1zZO10nWS3n5CfjUn9rL -Z1dnmL87+gZcOUfejBo2EmLIVM1yTsLZvigxIhjCUdiQDsUNhN0h1QMwprKAugyh -tS4UI9DepsEt9KaqVQ4Jw1M6N0b/enkQYs+PHk5TbWUqwdvuGDVeZI2poBo2SL5i -gUfe2EAOZLZo0CY+tCsge1hu+fYxckEF4C8SltQqiXnk5Z/SvqhuRV0lvOYBshwu -n+6qgC5UJ8qHsfW7pK+QewfxnsAsW6gbuKorluCiRg2hCIwK3fAJ0SLHABEBAAG0 -HUpvZSBXYXRraW5zIDxrcmFram9lQHBocC5uZXQ+iQE3BBMBCAAhBQJYSZuuAhsD -BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEPm6Ctoxy9ie5VAIALXzzB78e3Fe -0J83zOfj7VBHRoIsljdnlOPirIciZquOoeOOMpSdwgHA8sdlFxzspEDyN4X1YU2z -J5emE4x1bNSY8tI9h7Xflq6kGJ3zlYa5SQ9w97Z0Mnas0j7wbJGeajPmbb6ZFfWY -83rowHUuIujql+RN0Av2MKxEXXeydOdZGImvzCoNltHWlmoHxI9+oerPOQ+04Rxh -FnCvwv5HyiN29O8sn08F92wXRrKzLcudXJeUZgQIVmv5spY84SMldv/lSr18s3lP -lvQDafPjbzUs7Q6dJFiiGdW+sOW3MntJYAe9n8X2tly5owMs58N8BNThMJoLhtIm -1MNZzoGnMBa5AQ0EWEmbrgEIAOF4kVuofaESBahVCR4jWl0wWbiv3RNOUb/7Vm1T -XeH8kmkLkIPGdiDSrc/yENi9i9I/e+7fzV+NY4B0IzPewUfLUrbrUR43LRBhumNA -kpDEaXYQnz+MGYIXj/2pWJoVs0tJMauspCJK9+iTbFPENE7nllQb0bI1FZ2nSgCd -w3u47o7Dc3UKh0xWrC9G18BJSZbPn9eUZ0ioDZaVCnxvJfS+MbSj9KJfG6xgngK/ -khSrMPiyBMXs1mSXI+pZSMFXTRl+U9vIN9qkdsP1vgin7CgwQa2V0MHPdQap7Nsz -bpG0dduxRkvgM7uK2Y7QCviDq8eVbC8fqsAvRe+UDIXbA3sAEQEAAYkBHwQYAQgA -CQUCWEmbrgIbDAAKCRD5ugraMcvYnoIuB/9cHKVJhmGe105G0XeYNVq+X0yzSugM -fAwVGJOIY4bdkbxSOj67eAc1xTH6wbx7KHHhDfDVN/5KHxJSm+uJXE6hi62dY++s -yPdoqhv/1AMD0YKpx62Erm9zqJ3/k5pCPmzFLEniQ48bdZFxaVUZBvZ4c4cq7aE5 -kY/WfSN/WNOJ79zSo+vT2RntuFY24Rkplwo+aiq/gEdwKvuOzVDc07G+idozfWIY -AWXRgiGDEgUgmPkNbpYLoM1MPKTTkBVMjYvEESdkiPjHHcBugV5kpsuyWm6jtbgR -2Jt84gq8+qv9gVgkT0xo+Jf/9X7so8CXqtI9P1keQ51gXM3lQFXkp7FQuQENBFhJ -nJYBCAC/Q4RbdpAwRval9S6doIVKvPu27haj4Irppgz4c0NKtnGY6MkYOXwMJmd1 -KGnV4kU+zJAXCj+4fo0nUnPwMl+vkr6X3KtOOMr9Bb5T1wnj2YieYpA0oEf4Jnic -8qQZKz6SV2aZxB/FgS+orOC1mDv1xmSPuHfCZuH2JtHA+4y+3XqYt0ZusS31vSsv -63HiUqt0c33BMrTdgDmP0yntDnS1Qb7cgwhMe6AVXHHNJDZSNbCWkwu1ASHfrTRU -t1ijEUZocGBIEmMN+vdyU4Nd5aF/4fiQRoNOq3WLjknaKM+uAJ62AguDzuEkn3z6 -Ei2rlg3KN/9L3Mzi7D7gdVwhseytABEBAAGJAR8EGAEIAAkFAlhJnJYCGyAACgkQ -+boK2jHL2J7hpgf9EDjp0U9FgpmW0JVKOshmkdJIoF0km4YBKn5KLjVTmPNP2js3 -gD4PMkfuXMUR2/uDQJvEpgL/DqbKqt8TgupxGsMmQ3mYgnaiVwDH0yNSz6rpzYSs -vnZxaIyKjpp963RfQqAtg42PF3Dje8vlMT7lo7Pb8naUr+bu7PaIsPZL1Bl0lGMy -mAKS/AUZ6B1eUIy7Qg+/Qcl95+f/4nnQuxTpA5kqcibAAWpM/xbxbpKoydbJZG0o -pxgai9hvy7hOf0Rlep7cdISuP5YcAdGWYSHq5t4RJplGLFlBD4hOAzkTi8Kmtjri -LEIp7fMG8QCYYge3O32KK6BSdWmgYjuINvO0LJkCDQRjDhTjARAA4CrSPsoEwnp/ -dp9xhk0Mv66oWx9YbLPqmSea2HKfFL+a5BKfOYxIa2Rdp1lIognPlmBde7dQtaT8 -YfHHjjWwhp1eIWcQvu1Qi7hU+hR2BOw9uc0bYoPGJ0VsWoa6bqn5NFv8n2owm1Pl -WwkXXZpi6s29Dpm49BGxDuO7kRUSJOfOHamKn8WBvJcbcV9WEn+GlLvkf2KEXdTP -yPTau8Oe56yM2HNpxZcDwI++zpHvAgWaVxYOaSljpmojpIdI5RQjSK48hQutFqJo -3znqB7Csl+mf2a9x03sA0bBZeV5B46WcnvAWftItWQIQK2jXVk4tfWeVyVaCFR7O -tmubc31qZm2O0uBx1CiX7PdUSxopwVyeiM7ZgL5oIsLh/J8gPHySkNAeb9fieR9l -XVnekALkWVGti8hM1az8ZBS/F0aHjsQB0TRwI+5Nkoc97xnXIEOwCr1425yt62B/ -XgHRCi+5ViT6IqQIQfh+PXX7cYR+n7C2i1tlHS25dYosBx+Z3YdigGQahEoSbk2E -kPzPtIQRSvvaN2va9pctMQ4bN4H9d7HzA9tHpvxMUq3Y9PLpqg6SlIo6XuEpMb/I -5JxsopPe7wcJm6rMKH7vv8j76zKSc9oWitsP/CCQmuiLTpmdyZNcOKjubfEcpyfT -C76ekHzT85ryWdVNHMppfkMHTu+wv4MAEQEAAbQmR2FicmllbCBDYXJ1c28gPGNh -cnVzb2dhYnJpZWxAcGhwLm5ldD6JAlcEEwEIAEEWIQQsFsdl2+VKCIEw8bxLm19g -C1XztAUCYw4U4wIbAwUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAK -CRBLm19gC1XztE39D/4pT/kHyTZb0c0/dJw+4C93pTigi+BSOTTrVP/HoYvdp1gL -cP8Nf3ROpaa3sTv7qnZxG4AJW8EoWU8Bx3HuCv20/hEwM9vjVOdCqi313Ep/krl4 -nknv/8eY9lmR8mjgRVaAoL9SFvUy8bJrsphJ2w/rTAMX4EKK41AoU9KGXm42cU5e -rIWGp9OUzhSavTKppsn4rmBm6uw/nfmNoGLithmsvihG/tXN39Ruf5YYeHEBi1Rj -L9N2E0VZAKwW9KbG5C8ylu7dw/8zrbXQkPemv6cWouGNdP3s1gmByoVqrBK3UU0a -/13U0aT4wut/BqQ5Xxmqu9RfQOEK3e/Q7X3kGp2Zeww0UreKfjoyvcsfjV/HDOAz -9Txip0OCd1BvyGSl0lePLSSo54zSPJA8ar5dw501jeKn1/IZdl9CD+hxR0uqp5x/ -0y2QXYcC6L2GbkRkcUkppo1HVjdnpjakGyip9ylKmNRvB9NbxfKNGPC7B4MhGix5 -ho9PJgqR3lwhgkLM+Y711I/JPVgwffUiEASwlk7XgGd67s0ace8wfxDx3mTWM58m -2j+BLNjuQZgNxynYhsGP3Ln6yMnKsGkT1wIY1cR3CUzdl9SPhloRZjYs0MFqZQ0y -csHDFaZJWmQ0PzurREeiF6d21UQid6kxlA3c1AXMKOhV+ItlXDD8cAwi8jZSG7kC -DQRjDhTjARAAyLryPRFyL7WN8q4sRN5Kj+wPn0mf0G2ABNdy94A3HXfglzqvoMup -6rOZerwdJ9CqQDWwFL+UQgCLf2uDNOr8wuEMjkno3m9/29fxCw6DnU76jeEEdWLr -Br3/4cgObd1GORi+E7dcBkQWWJW5/HzH/QXMV+bRklu1FCeq2h02CkvCsZpxk3RN -wLWtrN6Aqat+Yi66ERDc1dboGCGWWi8PdfemjdHwJBTZ+XFVBb/4UyeKXa8nXxEc -V3MVx7jJ8F1tpt9tWOPHrl81g2tkc7k7JjVzdu0aA0AcnUfoyuHMfK3C7ByWgYhY -/lqV+sBCT4aIgl2uFJ65YyzY2xdd6I83nP3F5KlY1SKzMFhd0JnAkg36NRC5jBw+ -AgogKqjy9bRwpSWym65Yscm7NN8bkk38RdWaoY1qFL04TxuSTgPoVzAeDXv6SbtU -jAfmosjhSVxgnXhN3Jltb93FecPDoB4WP7mpfvMVmcKlJmCFkAdRjAGT9afRO18Y -sTGySOv1kEwbHa3Hg0xtrnY5O+hJ+GBhwFWKG8xT12C79ioXlPsmpy5F2Z6M+4BQ -eCL7lWscB2UnYJxqEmiKMxYgqTTfDrQBRXVSNDvUW8w6nJ0pLTjaip6XkVhQnhLM -jGenLmKMW2q9jYydiC/hzQQUuZ322dOD8o+/H6RryVQHKRfjGe0+Y5sAEQEAAYkC -PAQYAQgAJhYhBCwWx2Xb5UoIgTDxvEubX2ALVfO0BQJjDhTjAhsMBQkDwmcAAAoJ -EEubX2ALVfO0yekQAKNJrAJhVXkkj88QmHnBcN6XiLteQgJ2t1YnbGWd1vnNVn9N -YWYqYTzi8VFVza9Vc2gaLONMRidMKCF97Qu9bcs8Yp2lJWKWZxOIeaLUtD/kG5vj -R6kXg33FZz6D/PeedYXx+nqQVIJptNHefhTW7k2mzLCDt7wUpPmPqe822PW5Bxau -cAfiWM+r38Xv936wdc78eo9DOnoTKxtf2IwPs/S9Pu3rXFMv6r1tYUpHQbQmzBL/ -RBg844RI8T/sGUie5FtsYWxVM2zNqxRqHW/bJ+8/bF9hn/pVcLl8px15uekXNGa6 -uHtjJTdPVEJI2U9QU+GxHCv6FGY6lnDIBjEaB/GZcNr/KlDKkzQbNO5AvfuLo0ks -+vUyTOUdUcqH+5rnDnkc50kqpNmzEXn3vJJCwCrCm/cWMldAqJkSWVJsSw8txDJc -6o5VYNCF009UNM+VXT/XQePaA0Is+A2gHqgM/D4LbRs+W+tyTNt9Q1FMXa5Lp3m/ -o8+ywiHi+im/eavlKM4o+5xWo4D9XpKmMielpaMazxBmlurMq18Rj3EMLA5Q2fHP -7sEwbX0ZC1bs51b42lcfJuq0MHcBOCSRaa9LRye7rOzBHGKdtf0v9TA/prxvF8D5 -/LHkZ0xEKxjQ/mJCiBrxIgKKB2GGVaYNQIneS+sMKo6ZztVWF/eaOASGf/RsmQIN -BF629C4BEADl/O47tHfZap6Y3PwfI9/4we/TDwJLqBP8jMz3AH8s5e8rWHIIwXJa -o1NWFkd4VnSSiNEMeffkrNWpyCbjr06NEmmp49GCUpQwhT1DuQu8LhKoePhIGnAI -stty1LbpylSfTEO7fk7SnkYoyPOCiufEXDOLpBx8Gwm/cMNZhFI05XCQSf5+9Ija -ExihgmdfCKchbyvGrUn9Y7eu5PYUtsEu1STasNzq5usSQ6hot3zBbVoPRK8a7TZC -DGJqzvqH0bIpVHKVKxA8r9kPxTb4jlRPQV81VSe88TgsIzDSeGqOhM5NDTmVN+qr -9AYPAdyFjemsVjMFEL34dEgM2VBsX87q2hvOkY9c9tTycCcUAEyEYREX5tdfBAFc -cD/8c9DcK69OOB8dFovJl+qotAeXda39PFQFKCfwYa+y326Y24tM+Jr8GYfsnUa6 -MA6H3/oNCAGps0VZnBVRcjnSzNojPc9dA7OnT74ukFb0zGX6xN5dTCKRW/mLjnlO -QEBW5dLKNh2lj9UzG/9KUI4V4fVsEjn8IxtUMhIm7OAsUjGydk8D2CzaPUEGZwXT -zDwVH2tCZGocPjZ87R4xDbB27K/4nNWb4ux7mlEwis5taBnoiKiAV7R/Fq0LEJQF -oiXRL7tmJCgMo8VDg/a3i+GvDWxr3tTHjQtU+KJ1+Tqif3QrJ53dfQARAQABtDhH -YWJyaWVsIENhcnVzbyAoUmVsZWFzZSBNYW5hZ2VyKSA8Y2FydXNvZ2FicmllbEBw -aHAubmV0PokCVAQTAQgAPhYhBL/d0oZCgk+BGO93kJtnpcEiKRGPBQJetvQuAhsD -BQkHhM4ABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJtnpcEiKRGPd2EQAKK3 -pPDXSMZHoAwV0q1VUdMANxbE+7TE9uXFQx6VdDZxlaEWEUFuua41u8zwCh3v6F5O -jDrlWwoPRq/c5yWvypUB7ItB7L/uvsOqy6V8PGkH4pHxYCyFThC2OvzKFXGqNrxF -70NIAz6NySlQPlu5TK2PrC1MiXMMPciNdfNagSUZQKecMMij4qjRMRypcUZJTEke -r4CR6HC+4UlnBj6UpijKquaGZMAe95oRJLVwCOshLgHjihMe12qwX1njeAQqPQR4 -KZ7JUeaY4M1oymxyuZPlwUtAKSouHQ7s7g3KHaoSIalIaxY9OCxs52H5y2uyFbrq -SDVWPh1/zgXffmu6hB/oReyDhhcH47+cTgn23cw86d7+Buppbs05g8QcjbWv099I -RbVpirKmORT+4qdXjev/w74WZUFXKW7PFhHor6PAUb2zAcurVv4RTIVsRD6wPovU -KgkbdJeX9vbJrZycgnGT4twL7WSPKivn4BYBIp28/jZzl2OtiSyZf/hrnEqFp8fa -4DiW9mRA3ExbjfCQqOGMTwLwAkj4m+AhdN55xYQLsj/6pz3AysBRoS1E/vtxSIpR -AAmf3UhhMpRkKk0mA5f4MsQqR7JZ2ben9k/GTHeH7qsqzb1k+rEwEY8F91QgsBzT -5zO4pPQ1rIGTN4CBa7QcJH3fc3i9rYMYAtuVlpCUmDMEYHHgIBYJKwYBBAHaRw8B -AQdAOm0RDYTmM6omlqoTx6Wy65agVJ4q8EPGczNnYOrHyo20HUpha3ViIFplbGVu -a2EgPGJ1a2thQHBocC5uZXQ+iJMEExYIADsCGwMFCwkIBwIGFQoJCAsCBBYCAwEC -HgECF4AWIQTCjZN1dWA+tKu3JYYcB3ncXAqd5AUCYHHi+QIZAQAKCRAcB3ncXAqd -5MZdAP0eAbdHgjHqKYol3QaXRhErAvvLHPSEXN5cAImF3zIICgD+NJZZMQDXd1OO -KDt+YLiIqIq2ibRhOP5mZryPCGkq9QG0J0pha3ViIFplbGVua2EgPGpha3ViLm9w -ZW5zc2xAZ21haWwuY29tPoiQBBMWCAA4FiEEwo2TdXVgPrSrtyWGHAd53FwKneQF -AmBx4owCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQHAd53FwKneS0NwEA -t0IRpoCN/JNwg1TIseybpmC65nSzYVyX10xe4Ji50dcBAI6TYA+47z6F4IVRg2c8 -Vtg1xktot7b/tKn6hgdv59sLtCdKYWt1YiBaZWxlbmthIDxqYWt1Yi56ZWxlbmth -QGdtYWlsLmNvbT6IkAQTFggAOBYhBMKNk3V1YD60q7clhhwHedxcCp3kBQJgceAg -AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBwHedxcCp3k+3MBAKuK15Xy -Hw+sdFATFuW9vN+lXqHnYid2jRzQUoh5wG/FAQDcBXQgXRfe72XRoxY4AE3E4onG -MfzW3kbDKDVF7o4zDrg4BGBx4CASCisGAQQBl1UBBQEBB0Bm2FjWsSDUwL5nbAht -l+rwnGLKbWiVYrwHQocgKFj6GwMBCAeIeAQYFggAIBYhBMKNk3V1YD60q7clhhwH -edxcCp3kBQJgceAgAhsMAAoJEBwHedxcCp3k8ZwA/jLRHUBKIeRAxeGJhoqJRr2o -TxrP887FuX9/ikSX21bcAQD90AB2fu6dpAkOFyZzX9UdE7QxtBhHVWRx3DRr4P/c -DpgzBGYgDVwWCSsGAQQB2kcPAQEHQET/J56AhF3VoW7XvfydS3kGVTEN7zzOwA06 -KmRjb1w3tCZDYWx2aW4gQnVja2xleSAoUEhQKSA8Y2FsdmluYkBwaHAubmV0PoiT -BBMWCgA7FiEEnX+ZoMuPBcimlY1iVql692AKOaYFAmYgDVwCGwMFCwkIBwICIgIG -FQoJCAsCBBYCAwECHgcCF4AACgkQVql692AKOaabxgD/U1oPDkgLiGarAcMXetpN -NWGxtPCQpanwfP2j3qBKj3EBAPvlcIwuQaaXpSssDOgrWLcUdLTPs7dzo4ypTeNN -AMIGuDgEZiANXBIKKwYBBAGXVQEFAQEHQPkjqvdb94qwtcImUfZHrErbLpbCfpYh -QtNaC7k/TocBAwEIB4h4BBgWCgAgFiEEnX+ZoMuPBcimlY1iVql692AKOaYFAmYg -DVwCGwwACgkQVql692AKOaZG2AD/aKqJAuXwOclj3Yt31xhJeCuurZHmyDmuT25t -tx54OD8BAKZcfBeklQ+7X7M6I6iQ3+VuMOKtBdMJJz0gi4wrpXQEmQINBGZLNvEB -EADLRJ//ovPDl1oL8OUdCevYx12mazjaxcimm2ei5WxRxYlB1LSjjFzWrzvSlwq8 -WXoxjyb7lLw+VHSXokO88Jx3zAUpepZNT2wQ3/YTGw4i6wq2uyyPsgVPELe9qr0Y -8mROPf2CHsDfEaFzoXYZZ31ucXzP7N1bIH0uvH3THYOMAQ3Ag637py8exU5lehs9 -m8mLv0pQIDsWJUCsXsjiDptI0/8qRaBbuP10bo8gJlxCH+7UQI+Adac0drMgbIWq -fsVhm64nbvOIwxMz+wliNztXlkw1anmK5Q9ceUrpkkjiFuEvstyyBlwqpr8a4sOf -T7wxjs/2wg7IdJvcQZFVbVRw+WVZ3eVgSkoqoCGd2KrbaQjktCihkmSxd6gTCJYU -OVUl/Nxrz35AW7kIOUICsYrd6Zh7Xr+jyjfVcGs55bbxzl5QCsPcDtHXdOQ2oAVC -3zqkjWDDloFdGHIVW5W7flc9jvfg7otmmSlsCTABc97JCoOdlDoRtp4wLg50RZXf -QJ8FNpqebyFhFmGO4AGkbYuycGiupVq5rfdWM46V7K0yWftSZSKFHiD+B2hq3doc -uk+o4g2AdZV0eEH3/UKRz0L1p5VCWk/yU+oF+tzDrhCwfGSy8PQL4zfnkfttSFMm -rlrgohyAF5QvBYZt99MWO1Hr8O2hPOkcZ6CLgsvrMaD2mQARAQABtCtTYWtpIFRh -a2FtYWNoaSAoZm9yIHBocC5uZXQpIDxzYWtpQHBocC5uZXQ+iQJOBBMBCAA4FiEE -BhbpPZWvRxJD4mdhdwQm4X67s90FAmZLNvECGwMFCwkIBwIGFQoJCAsCBBYCAwEC -HgECF4AACgkQdwQm4X67s90g4Q/6A8hovyPm0qUadEJzXEWVLdLBqwHf5Aagxu8T -EQUhn7ku/VKWfx8UBaI/5hTpPEC+LexkeweaK3xjs6DeIyFeeY87ZpujZ8U2pS1D -grYNH11lRPcJM9sh5X5p0EnsHZMAIAqNq+k5bv0jYNNKduf5v44Cls1mg+I5CBhp -geZGRE+QLxRGb3YoQC3HwRnXHCYNsQNYbRhYgsUwfwxoHiGpM1EjeeX37mVhETDn -JNnxKf/7r0nAVcQZqz1okJyhNBpM1Y/NgCxuTyG222TZmJOYuNbyZIT2ZG6z0IbQ -Zbst4rhWmJk1oEA8EV5chMMOwP0eUuKWBHqT/QCmrX9JyWKeTm7XJb1LBi416esr -TNKicrPnhZopTkEEHFc60RvchO8XlZYepisiJprUjW2T2KY+FbKwwQOFDQk99dVw -Yocd4CzzkdG/dKeda+Dj6oz/lIniEtPQREC/rZGlQNw+czkHhvk1Vu49BrYMY+Af -nJ3QZqQr5xAQaVehnpcxaUPM23pOmLiFm0lrtuU32yIXeCy+UEX+0k2f6iODlr+3 -792cbpMcH7Bk0YNOm8b9SNYvqVPrunFGttg04TtnTMFpDaN3i8GWoMXj+NmrFnQL -By/dpc3YvRD/hqtRXDwRXTNoIaCg1vttFWV4F86XHs0p5xoKeUfHoHlV1320gZCB -n8dm+a65Ag0EZks28QEQANZ9UNHdyJJSGTqjLIPQQET+E11NmpwbsLjLiQMFKZEm -L0VPtqjh2qtLeKGSD9BQQNLHfEU48M3GiUNqH21UDWh6ObDCGE2uPvL3U/C8w+2F -4IABv8WD8FVaZkREX9MoRiPVd1HOEAOYsgP9Qwv60jVM+REDSnk/0lUfbcvt/JIx -NYoRnBLR2LEG2WV0GNnBFpkJ5+KzR/cdtZEoxodNJvE2QOeN2BM7Rj4LTtwxh6sC -I2Xd60Si7nNtHSn/C/1/+KA2igH/w1+buS3pJXkhtH+Z6/8kBdUz7GgfIzRBfnJ7 -8+H9PFjIPPa0/waRsaS1Sgk9FLNFXMrmjzg8v67qmhjgMrdPcVGkW0S2WvK3pY1F -iYf0iMlfW4kKwPJAKNM3x+x35Bsf2a6tIAQkZOjcidJppenAX3tl9T0vpuCO4eaE -KnP2Dyxgnpm8+Um9kwhapjhU0tJVx//vMzqovb6dG5zSiG1XZt5k0YpJMVEuuYpu -wTnJCBkZz8nzb7+JQ12he0IT2mPsXgMlq2Ddj9OnuoCZpeM/YkjxOGwVZfNvEJUU -hbcH6Vu5gPnG3+5tXbwWnC1jeA45pKkq4BHYQnoBW03OAcavKxUWud8Xh5E4FNAW -JQ2VyrI1Bl1raXL7mvbDxRXMLGyaz2KDRRoKtpYCvjoBr6azfIR1yjDTheJpAHGx -ABEBAAGJAjYEGAEIACAWIQQGFuk9la9HEkPiZ2F3BCbhfruz3QUCZks28QIbDAAK -CRB3BCbhfruz3b8ND/4mPooynDsIAXQ2ygvAXC/zpIKm1fc9f81Ju3hC99vMBdTH -jMD4miBxRrlUZNAWqpzORMJqMZFQy0BHvwphKDtRyhE+PPu9pQHqcOe9weiCKu+M -CTrlS0hUuzg7RBrzzOrf2GuQYS8SbHBqb1CrWQFnOJ0L5tGHd0sRq7KPY9P3Wy9O -PX1JX8eo637LgxKbWC5i4spd4qRpXYU1xaeoG8s353O8oTdNCfHqxKI2G3lu3J9o -jMNUxRbi0ATS3VOXGkLkhyvtDeXDwe+N+9cTRwMc8QEEYvBhL9+B1NUMzRfC3GSQ -+e9oDBVrvtEYs4pY+H56ETm56Dl2j8uiyCGHSsjjL48lDc1pQXnlG9aQn/zANQFG -6PdMsYYV+qN+Ktp3sd6a3LN83UaeGxfaOn3A+SsShQenAGKUmGWiDNMJdeCrLwXv -SFJO+qEFMrkEFnKb1lPCLkGer/5oM/KLyLZDzOy3+3/Wl0B0nFZIlNw5VZB9OUC4 -PcR7ZPsFhb5QIxpQrq3o6g1eQXrxTrZVJzk/0K3Lm+U29jbmGgQT4S31gnxwzXNK -EkVFnMlCnAFHA3XR8l3W2tswMbPSSogcNS3GPro6LL3ImaCVxmrI/w1QgGZrxP53 -PNSyH0MxH1kVTqTcxnGJL6BUt/pTdScHstABscsNO/h9K2rfsNinuiQPA0QDZA== -=ilrq +mQINBFjxRtoBEADkS6+Q7afwYDPFnqJXuyF2ZIvXysDBrpr/xbre4jVeiC/HIELa +QedOJqO1V+BgnTRkfhor+Yq3mZ1un+6zJIiFcm5Kp7sPZjh15JF96PsA4e2Eh5eC +eJzjXHj1nAKXfn5+CgpYEyL30r1/ACkmo9TKIiUxIDZRkZvxjY4UKeo+EoJo0Viu +tV8mvSTgxaz9gzPhZ5OJR8zECT8j3T8d+tBD8wWxxmGZ0veOu/MBew1C/BDr8RqT +CXDywUbyNuSsdb3a5aLuIuLekSJVSCcFwPIje1WrX4FyC42+elOp0SXpjWzdb08N +XX4DEY8zVyVXI1ScSpTbslffcFkY60NJhjpP7t856L9vTLRfHIM9BIdSYH/ar5mE +Q0vyJbiNfkx5tIMnEmnIYbmnjjmcPZDKZ4PyQEUEWF3DqNOOAWhk9HUMFEkANkd1 +vEcNNQxgD2eOJM6egfUv9KtuAEcRX2iDu3gIyE+55x92VVoEJDu5M+Q6PYGUIMh7 +nz2gS3lnlpG2vquQpqDS9UogsZ8L4NsukdP2ixRFnD9qaTOemqRYwIptOX6wvrtR +7PmWOnnRZ5OcpK5/qyK9iCLY7bbHDViBoV0uLEHNPTDHjrALJrqS+dH1glYid/82 +OvKE3KREjRpMOW83nNfQcqkMi9fhH8WUkz6OD6JemvB/s/CwBS2w3+9LAQARAQAB +tB5TYXJhIEdvbGVtb24gPHBvbGxpdGFAcGhwLm5ldD6JAj4EEwECACgCGwMGCwkI +BwMCBhUIAgkKCwQWAgMBAh4BAheABQJY/TOeBQkNNFUtAAoJENvbOXRw0SFy1xYP +/jQeNv4WUPK3M0Hl3EvEnOeODxePysU0khvgnw/mRtQu7BOwRdbB0HWv8Kx0HXL7 +XI4l2myHRZbd9PrBlG4YFYjZqWmqQ9WGlLBxDpSJNeROpTgKjhxA2hOl1xH2Et5k +bRcZzpJJ9zuD3rqkq80S3u/UAB/QzYfJWKnQBTXi/3psZNAVTRp3/4sEn1kCfEnl +NUYPih/NqdXE0frlKeITOAmatD2cjYcJlc/ETLil8Sq1nIgiE/++KZalbcXcRSHV +ZSd/L+fNlMDIh6k9pjcE562oiyyMHKed/pAX7o1BqlKqSwxjQoNskpICVFkyMv+P +7cIPyOxJa8kaGyyHND+8i1GzvwcPhLYeOWDwmiXBs4Ea8Z7KWxhi19zlxMrEfAcf +FIomcRoxfzcnSY3FVJYIoEySK/IBiivqeunyeDA2JG1vLSZIV5hNicUihp4hnhX4 +Z1gElN+C68P49SZseFzxvzwMq5RIUbWVwIh2+Wj51/UrULgoM4qNkgejDLYFyTxb +LfXq+Tk91UXdpepBHvE9KFVqh4MbIlyx9TAzOizqLdZlnPRwLb3rWBLsv7XbCTeY +tp4jVU8Q35hnvGFy+GsSROJv04mJW+whyz+zxOEMPiVbVA5um3ZbSj5oou87M9Li +JtrUOqNfyyqddLC8L5LgwwlYKqP+W6Q4LMf/Whoj3FFCuQINBFjxRtoBEACk8wfJ +qP03Hz6PX8br3jEUllSngdD/28K2C4RVOOr71u4FJRcEMR98SbPnCNIUt4KdedO1 +DJpYac1XvIaVBbLxEcBjRMWNhBgZbxoQzPjFTWHQ/UwHZPiiwQkL55fN1ejBEacD +V8B1JwqjcBbii6zItLUV/gxGH7Jce/f7KBM7vWlaP+xHpmd+iPK1swK5wNQzDL83 +b7NPyj58fqlmh54Fr+jcpuUjynaYfjtJsgwc4CScdai7FclctLMg8Y8DW7/bkqf1 +BQy9Dik82IWSN4wgVM1eWSGx+PzPlshGH/C8B53U353NcRhjFp3zX31wQhsJrA7J +p+10S3HbXGrr3aVGMMq3dqSBGp38iKJUmJ3zyVvby5Mk4+8FFmMk3gVuQE52pW4E +OlSVQNQC8yzYsgaG/4N0M8DRpbfPhT5wiD/Qcb7MUXTE96dzs/KcyPJju/aq4cJ6 +DgpbJmM6OZwnx5HYwa58RgOwAVBbsxYOa6oS+Fj02eaiUETwfPHtqF9juCcM5D0m +cLZRT1I4zK60qPb6ZDzuFguXg8hm/djjh2YlDFCNKqCZHktCISTWX5u1cyF5j+UL +3fsKcAAcyiHZV9UH8tr6v0i0P19Uje2ZHk9utJggYSSM0uyqGhmiyd8su2FqitBl +tvTo00Kc8sv4AcDmCng8SVO0og1wiJZdiHJI7QARAQABiQIfBBgBAgAJBQJY8Uba +AhsMAAoJENvbOXRw0SFydu4QALeYG2PPMEOQtMV6jOVT51U0Yo0yl94RJoQCOCCT +/JkUyIDczHmtcVABrpitX3tFl4vacJM3uKWKbzbM7qO2+Hd0u6rxO+o8WUGRMZp5 +IgcbagDOHs0vorVN2Yo0Tl8RoqW91MCvlRFA+8snmKjWfTYj8jxbhIUEtVrIU+5L +DEgDP+T6PvpaVeXfLYItieCsZgib3qPz5mM49jDH84XG5F19kx0QtVGJs7n8FrcA +GcQl/iMrm7dRrRuh9394ongIum0uld287Zlg9q12iJiir3w04Npy43G12RXq9TD9 +aRfbMhQ+HB5Dnvf42mfCfGvalSE0rg9mh1KeaiQUXxCzCf1D6a3H50rh1IDn363W +n41/Hr0j4ntVjvEJxs9nUb8qod2HMOPLOFqwxck7ueGaeDN/GZ5zjPdIppYwE3Lb +CM1ZFLkV+QhFef4zXwml1/AnGGFULgGYorwGCchizhU1wbZVcoUF74MtprnAsuPd +Fxlw+4yCcFEeYVpMDQg/ZfZ28T1GruGHqLJqIVpOum48Ec+fjnHAZAH9dOs/qhBu +CLE+5xUoVyP2lwt0MaHs5SLmxRKhcV6IWRJKTlZ9YdDXbVv5LisL/qDOTjRj7vOg +CPRhklyA0JjFeyTDpSeAWXFZnab0nYBPWkxtdxxRruEeQPAYP1vl0O6ABMxRAI6o +6zIImQINBFklYukBEAC9tCSjnoNs3ucOA9RPfKcuK87JD9jdet2UUsw4DHd/Hwmr +t3T7WKoH1GwRp+ue5+vzXqdFRZ4gG+7tgvUsOtNb5rh22bTBsUIeGsvm/omJntXC +FQhYcfjtk04p3qtgJ5PGjZahCRYg4aQ2tGp2Mb8auFuFPsHtOHLWQCL7vQShsN9m +EkEzAQZnn9QYL+IvTQVSKsRy8XcHYZVk2uT2xQY2LvkAucWF0TrjU2LJ2IFdepc0 ++jz1xasBR0afT9YccHpQH5w8yOW+9o/n7BiMHfgT0sBMdKCfKVoQrQe0CsFnqc/+ +V4NsnHkyUrbfKiIFm+NOupIMpL6/A+Iky5YpjIIUHPuVL6VAY6wm463WI8FPk+Nt +Gekm9jqISxirkYWsIEoZtCrycC8N0iUbGq8eLYdC9ewU5dagCdLGwnDvYjOvzH15 +6LTiE/Svrq2q0kBDAa7CTGRlT+2sgD89ol73QtAVUJst99lVHMmIL1cV4HUpvOlT +JHRdsN6VhlPrw6ue+2vmYsF86bYni6vMH6KJnmiWa1wijYO0wiSphtTXAa0HE/HT +V+hSb9bCRbyipwdqkEeaj8sKcx9+XyNxVOlUfo8pQZnLRTd61Fvj+sSTSEbo95a5 +gi0WDnyNtiafKEvLxal7VyatbAcCEcLDYAVHffNLg4fm4H35HN0YQpUt+SuVwQAR +AQABtBpSZW1pIENvbGxldCA8cmVtaUBwaHAubmV0PokCPgQTAQIAKAUCWSVi6QIb +AwUJDShogAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ3J/40+5a8n9OJQ/9 +HtuZ4BMPMDFGVPUZ9DP0d74DF/QcT0V101TrdIZ92R4up56Dv40djjQZc2W9BmpP +VFr/v6qdjapdPH5vvmatnQDz/nIOfo1iwPWGzvmKnbDBQ4qJX7Jd6PdD/YorcD+0 +tOQNKLIGE9ZFQnS80iz9iaTGzvQKEQKEMugQSf3kG3NBEGqKQBsTTrBQOUJ3g8w6 +id2/qJtrDRbL9TuCU77Dpx9HUAnjj/Ixlvd4RQDa/BCYzGYJlCyTsaVW3qc7DIh/ +pRadqtswghSETtl6SSo9yHtoYOGTxXO6UikLEE8miOlaOPQrC9hCD+LSGc5QhNLB +EKes0l79w9kw9qZ9Xfh4pw/hf1N4O3kPHyUg0q9QaX1XKtigjTUcpdf2Kq8LtlB6 +0p40eZE2dV3T11X+rcn33pFSXMeTJeaNKHXoeGcva/gyZVtvi8iJhqtw9QOUkxRD +vGB+FEUId3Z1yAu7ZAz6qiUCgxK/VJ6/kBb+YYR8K4FHLmNOd5KoiTerKQu423uu +MYlYfBHpVZ9YuEJQnTEpizFEeOgaixx5RDLnoPsd/x59VS9eaaKotTPbW/rEp7Sv +bKj0dR5WMfGyd/OJrcWVZy8/Kh5Mc/4KOHD+JGAp0bE113TkEEoTZ8gNHFdLdv52 +V9eXUkeT5IxyThZBkUy6palDM8A5vaf6Eet8xOLy9XG5Ag0EWSVi6QEQAKujAODv +sdbt5n1dO29Nj5htbmt6M2A7eOjt7yUj4UMtBaGOA08O0DVA8MJkvepMq9AJBXHZ +Mi9Dycw3rxBHQDqHJJMwghu3RoQw1y5Wym7LiLhoWSU/wK0BrKOULBwh+kS6udKA +4oWrV/gr0JGmfdL8dZjBF10kHCfCcjcjWtmIp2GRaoOKTlHCviNmRxzyqba7zE0Z +c2maQ/4w98BI83GqD1bT8gF/5qwSI1hecBwt9oS7EbZ1ZiE8SSE8Gr6OR3p5UNHb +zqxUWy8W4r3qulCLc6g1LPXP1V59cMxX9jQJ7lSdv0k8C6Lb6t9Wm8G63hNYgRCA +mNW5EnqieTrx45K9vqoqfQK6Apfy0UoOquiuK7QClT3wBd7kmyKsCfV0bwRA/fV/ +sC1Rniu8PV7CRk9ryudUXycKq33pSkrOfZjFIQhCqdJkVc2MPbAuj2pOMutKwGKR +q/Mt3O8nEfGqWaJPa36C6dhlPqjEGTIEk5P493DzM7fj5VVIWyUrI8Vm9FslSvzI +LcONHMtKtRs2cRYA085NKDXGN7i5Am7L7ZONfqVs3V493ICwmALzeSULNLiMtX+E +SQfdWCS3Hosnjbc6INDg9BRhFt5MEWJ/qchM3g4NQuukqtOYsiEUw8bCzepwJxXp +lvNYu0yQDxvP+0RzjMozruVz3VoHeyf6rSWvABEBAAGJAiUEGAECAA8FAlklYukC +GwwFCQ0oaIAACgkQ3J/40+5a8n/8gg//a75gXQ4csiDUTsUndb94EXqraffmMcT5 +oCzfcP+Mecbuv3G8oQZeLRchsW2i4QecnvPwrXAJcF8kJuN/KZLyeh21PWBy55wo +/2nbwOvQockXpK5yVeuc3DmdTaxDnW9u3QpSwbvkEyoCpeHH6rZ1wjqn8Qi1k7nj +C4qgXpRrLQdRsS5ULXpf3IM+vaxbQ5avVnNRu5zMA6M/0reL0RSjgMfnk+3AwLCt +uMiy1aStCe8V7Y60/oauk+IZA1VJlSz2n3675YD7TkTZKkYIYZHTBw3ZPVJo08jd +RUXtGJjpOyyWVjP7GMKvZuQVWqcFyc8QHHaIPDLkdi7B9YFPWqfwJPBfUXcdzjAX +I7N4XsSEeMm8S8SC4FKCidioP/A+bamKcONHUuZ+AztvLh24ZTkqzA/sRRYpbMGU +QzpcDbastuXG66s3e9pJa0R14011A4bofy6Ureh9q6TQNOkNegUUdjbGSd1bfNId +QXRH0+LBV1oaY//v+aBjswy4hJ5oXmQj5jQKFitRCP9jzueyDdMJZ0j0Hhh4ItCz +FV5zIKtWiy7pRp1DXq9LjoyWeeLfKu+HrEGjMwyTGJiMjcL7oCHeiV/a+fY92wpU +rY1/mRVLqKqDIA6/iEL2DVf21U7rXY26xxvf4QFImZaYLwKQYLe8TOOjDA/I9bR1 +JJmh54yw10CZAg0EYIdBNgEQALohT1pcSlW4sk0DNfAvur1W3U+TEkevuQnKdSD/ +chKs50nLYRuiVrsZsR28tnr2j41uwvm+Y6ZPYAPSkQZ8yAT0pYnXbaIR83iGtZOH +P6wdxV39Mpf0T3yD4dOmgka1hynqNjEbRhE/t2fXNKf0JrBUmkyyhLYbQlkH+raU +gQug9EsyOJxEMER9qZM+Le/JiK5/i+8JxhjPcAQxiKu3l/usGtU6zcVUGjMSqs3Z +89Fa8WBOeGxDwwSKrn8MyyfEWrbCCF4Ao8gBeFmIkWgoeyumIAA0SYZkFjaltbTm +sFjVmYmmLXIKtKTnzZx0+jYJr42s0Q8n2ymgSKcC0Cmn+iuKslhuMpWJaqaHuZhj +K/80BArAYETW6ne1IZWPSsobd/2x4u9iwCkd/SWERA3/KnML6lgOVJfNbFxDxuJ+ +LFvpe6VoSAHlc4fC6+lMroeg011kzjgWX4H94Bdp5svpWHQ/UQ3/YMGvgUY1vy+V +d28bGzuslsnz5o2Zh40h2Dmpti5s2w7Z9TvLD2RMM1N6PrdCXVrQx3bB9nN7x1nL +osn+0v/8gfck93SO9PXLQtUgqhhWsh+/TrOiVWmWqLvbN95zWSnDRVHp1P8vKEGX +I26aokxEd1mVfilQKnHv2k6ieMc1M26GM48uXNqLSihYG2WgNl80agVFU00m/+Ea +9Uz7ABEBAAG0G0JlbiBSYW1zZXkgPHJhbXNleUBwaHAubmV0PokCVAQTAQgAPgIb +AwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBDm2QTQ9jBBLKxRtw/nDncC5aYVE +BQJihlmDBQkInT24AAoJEPnDncC5aYVE9GUP/R/QmyOxYIXhjOJGkF7wsKznajRW +u00xRbbTofNroJcjcActcdd4KZjBTQukQLe+ywDq9q0yGs8qdvNVdoREnwkK7sfI +c/umJhTmWdboljw07x+NPzn71xLsi8xDT113KlSegPSL6tfkSDqnv4KrHQJb4HYJ +ex9whcnzW/KR015biH6DifHQfTRw4XqhecneiNCfdaNMTRb1DP4USrJAFIlIK8zw +guJP0iYnKSeInWBAHgroUcrLucUAdBfoQdARHQonlklQ2y1qxh1m4qitH0MeUK6z +XoTYAEgVMYJIN26gFaMoBRd19/1WH8p2h2IcecsaCFBPWpI1jbvz9h876cLC6N9h +hZPZFfsZ4BBe4Iw53eEhlgBdm5aa6SRobthKI8q89DoKuw5ok/tEK/WY9QFzkTDh +iQHdyfubopjVVpakaNYmJMF6SNlu7BfLv5yc/pHr7z5BA64WKUd4AJKWEtN7nu2L +Al4jthv23UnJ8x1y0e/ZM1m5r9/leRQz4uFqXEBa8Y0/Ipp8OBnQWNajmOHqO44E +4/BOXr09FYm12iC5L2V8TxL6HgU+nLRetgssFIWRr9NXhelITdfKOii6qrbLP6uQ +rjFXnLnLqgKB72gSXCYdHLEnwtskkqKXtB4jzYm2OPh0TstfNRdjaS3wepurzSp4 +UmP42igZx4cGzNp8uQINBGCHQTYBEADY0/Oat2b8EDcNSKPJNdyrQlDQ+N2fyTbq +1XPThTe5f3nRT1jepYqfsi/i4/6rza2AMvyxPO7AQSsHYlBYHxccqCH2Q90jCTu7 +iUJyU65Kx3aZC3U7VE4+jl81W5/b5qqjvZNRxLgDZDnvO7hBFh7b+jj7x1ABsHdw +q+zXjmg2mJCBsD4ba5jQaPr+nirvhr/Y744mGpaVWRlg7d/LhL73GRy546DgCVej +gd56vMsi2HBy2BKtjxIr2nd2yJn12+A5yenuagOVpye8F5Dy7ULFJ6iYe1/NpoVn +yipv3m0hE4C0x1vIw8tiXR85cb0aGuYgjOgEyLCE9INmMQ0ZZd1JqZwK2IyWiy0n +DNVJXqkzc3YjYZcrYiBb8dV7kvAf0E+UniIYTYtBU2rOWBM3aTT47Jh6ftss/tQ4 +e0HLeHZpvpWwJtkPHb1jGD/08icZH4XyVxIlEMhziuAZdBDTr7v7xSmqPrw49afW +iXfROV01j94tFdvF48wDOIb3qIBBbsNddqMvHPTShq2wMHlnylVFM/0CJn/yxezB +cuQfRVWeHg7lbzSt0HD29fBz7MlxoOSesmJCN+swoSy4nZ1nhWNHEaRh32Vn2H2q +4ya0rZFEHk2fS6WWBMTh7cjinmklQVxAhB99d+EYCZ4SHu74Ats4LvAsdJwe5I9b +lOIrYecwNwARAQABiQI8BBgBCAAmAhsMFiEEObZBND2MEEsrFG3D+cOdwLlphUQF +AmKGWbwFCQidq28ACgkQ+cOdwLlphURJshAAkIdJ2xM7MV8PGs+eN2O0/BYpiCfO +Oc42fwAiqYQzr9WT3FtB6oSh6ybaN+RRgIke1WC9HxIvjxXWatJnbs1U3iyjBmyH +vMBxOCxsIm7hyyLI/QB7wB7sdRb4ZeObUeyXOoAKWilj3r2vOTuC+K9+W+uW5Hj2 +H2tnUKOva9F8RjokSkMiCpCVoGT1YWsWwKALcnQBio/GCyzARTCQ2uXHpHyAOdNr +ohJBJWD2qT30Fk/jnOGCbw0FVb+eX5854zosi8xPWFUHrUmzQzFwoeq1ysg95Fp5 +LwCtorI0ilZlCngFL1ij0OA7IkpZWZfCRYrne26JeMmTXSA9CEy8U8Yhh8Z36JPo +iff9sE08Dd3vmZAxhijjp0p7H0YpCu5qCG6ACIUKgoqwHV7bjkQ6+Znqs02Qi8wG ++gMVOE6gmiw/SpIHE8EJMrtp3AOqC8hWdnqtJ8Mv1aTlfkLn7fXmeWy0Q+uzJXLA +qnB3hZINXT5lI1jxjjydU7YlQiPHKGnJ/biBq+EwMcVQ3UirtjK2RvnFIdqcoChl +ufsPyEo99VrB6yL+tEbxbSgNOwTNWEuVZ03LVPH+Wr1sjp/Ao/TexcLJuPgvjVkH +xqMNnJL2kUnMvYnexp1vmocSL/bqr0Ghg5kqMl+rq/hwl/6JliC5ruBIp41Fg7D0 +Hwt0DeJiahaJT/6ZAg0EYGWinQEQAMQJ6RQqrrZgYJ6SIfzJPsC3zFd00C/UxLQo +aaiAQHEPnEQgjnAPqkvspSE7MpmyAohbUzXVnDO+ycxznIkLz0yYjs/m1qVB6hTM +w/PlD10ELoA6m3om/2E1vQQI78U3w3evBgVlGLzBIXWKLX7ZsBSm4xoPmD9mmisM +sM0xhqQzVuGm0I81gvKkIlWHPB+TqUWBpvDwmIdCRuGis7810OBKaMmTQ/rdhg1T +YZInZPfjeuW+oZ8Lqs4w3cfmyuDbbKQN8b1Qd2d9lJwkudI6KhIyH7uU0F1GeHIg +i9hZJZZcnlDiqtcHZ5YYEUHEzD6rPAL0LoUFpS6dP4DFch8R4oBpW8XTjg2BzfwZ +RCv1IuIgd6HhEUcuWj5QGMi6huCF/2WVDEoGs/K32Kyh+1Jg4OOOpuLP0/YqvsRO +AMbdY80xppR2yMMtpTJPhs5aCykZ8ffHKEsh4VGvi+xFIwuOGElqXoALFPas8N+D +5jXnJQR1/2zekei9YiM6jDXps0SIChBL6vG05cua6X5K+71YHHlDoUubb+tjiIHy +FYtzEe1PPMiLl6XtAdqllLqUQvy+McHgdqNOIU+FxbWDWjDtZ5hlDdZ+sIlz3esG +wl/zQQMdRdTsjcNuElOdl2pMmLlA8CvhJM+IkHVsIHponLtBqN0Ibrw+Sh1kX0sE +cjkfrDSJABEBAAG0KFBhdHJpY2sgQWxsYWVydCA8cGF0cmlja2FsbGFlcnRAcGhw +Lm5ldD6JAmUEEwEIADgWIQTx9pIjj7wWZuWlzNQZn53+9v+6/QUCYGWinQIbAwUL +CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAhCRAZn53+9v+6/RYhBPH2kiOPvBZm5aXM +1Bmfnf72/7r9wugQAJuMXAsnTk2m4Esda1R66IaOx3hms49hTtoJ3XTkOP0z/Y89 +66mJ0Zp/tjhof74jRwN+Eo9R0Vc4WpuXdL6ZaOm6alc4hYsT+13bO1hNEXFP70OF +3sithHac8wShdeutBdXGW/DcR8m7CXOsNWdQAlbYnCb3gt2zTp4DTrxmYVP4YptB +sQBQtaTqHlO0K0UGoHEkqk5PbbOeuUvvBAyeSEvislOxeSCQakBXFVROKojd90Qb +i6XFlNvZWzPgBHsrVRKuopgiNqfNAKz/n5ruhZcI4SKdni7zmv9CLiBO8P/qqzta +9Wv52z669MgPRMfODJr7Q9pG6AZCAm99oKCUStX/adKGBnfu0mx/v0bIyK7YSWp/ +8l4ioiulBs04xeZ1S9T6nMEGry8k2qlErcGI59DAR08aOAbKs/42W70Eoxepx8pw +S8KSyCfTCuF78bDdxXv3uutYb+A1AiHspu+esjJscgcXNRPYruQFBDUQ0aUzVrns +bePX6i1ZXYkPUTSRs6Hu9K8sJQ+mr5dTEae28szDxfN9mPqlNGbsKc21CsXwOJhU +IgU6a32gtZ7xq4g/A9DYHY1jSPhKi2q5JMbckQ2qzrl17zXhVISEcPTebQ0Qcu3Y +S24+k/mAqIGCrlSnFtLOf6MPTtL8JpeW9fiuys2spb/pHhqmlCevbda8CUtLuQIN +BGBlop0BEADLZJnHlI7dfEQ+thWKLLdLpd0MZBOugCqWjYdUfL89OY60W2C3Lrzg +fewjiNLxBzwvqmgEYyQURtlV7o04LJVtyO1B2b7ZQYQoC6gu+KV5z+8w1EOs6G+M +INda/QydjQk8ymChggGdHtWtGzTZ5K1js+e8wJgkF00n9YCxkkz+jJCK1L7w73vt +YvS0qYea1UVxmGG+cBsfQ9GbweRl6TvSjlmLtl7m6h1cpGDQrnyyp/yrfONLby1t +Q32lMhfH09XAPHpJWCfhv9dovgHHtb4Kroaj82UAZz2Je2Rn7SJiACLvezWEFTZM +WClntlHqHIVtmasntzhzzgK6E1IH67DgWR3m82noLpmbYlHAOLmNBsOYRGdfOQG2 +8L25P3HrWV9APikwdPHg4/0tKLgNzhB6yO6dj5Hs/YRsJD0Jn9X+cCNasP5VTLOF +sZD4J1i8jT8brlf/f367qOte3aFAPQq7OFYPvpFY/c0J0D6eb3FHCxfejVQL4YV4 +bg3HOUGynUeBGwHgyQJw/LY0LdCejokylQZr7Dj8H4l3b6x85UhJSKRoIin+c8aX +iI7/2CJbFDAIv3sovyMsAhS+GyntxIpYmoAl0jrqRCr6CWCaFl1Tjh3xrJ+pRCSk +TVq9OASHUqAb532B3Tt+DJzwrlf4qtQDFz7o7lPGXMnxYLW/KEa7QQARAQABiQJN +BBgBCAAgFiEE8faSI4+8FmblpczUGZ+d/vb/uv0FAmBlop0CGwwAIQkQGZ+d/vb/ +uv0WIQTx9pIjj7wWZuWlzNQZn53+9v+6/ccvD/0RXb7doLc6YilekZcEqtvvCrgo +/ZDbda1tjRbpQGyLy9J9whIdD7G7lSoGILSd8U18gCL7PZq96tGq75CDy89u0vI+ +IQ1WemRlfrBZb5qkSOGO2Yr/VYVxxjZbtYiM44aJyrehhA3MCvwzyP27iclH7N0X +sXgJOF1p3AVEfuXHhAVSbR3tkLPe7osXKyDUgUCuvJIPLSglCqPHsm95Xch8PpUX +JRemPpFnsPIlqDKu/vfIrDMZtnEFBog/afjA6sqmC8X2BTKF6Tiv8KKy0divkwsm +dAq+We0vkkIMq1PMc2UkDLv8DujpF4TXMvBXO3AWoKPDNt6L7zMUdymto5TIIA9W +sIbn+aGTfbfSflJlhlzJ53nyzl/x9ukFabwp7jjF6Vyh7KYMQE6ob16JWTo+AZY3 +mvKoUXw6jwGonaBjNkuR9Em/IyjXDx0tiKKaNPdVh8Tg8pcGNt3ssroEKWqLrUjW +lrso/+QPeH2Gl5+NjQYSIcQOcYo/MGuiikA9GJu088+IgJ8bmTiFgMuq/ZLAuQ6g +kpZBQXAN2hVIkV6H5IJwp8lbyf8GG0qBCk9Va03+PZjhZLu/fb9EzVmhyX95cENY +NUE7QXQplsJZqchsBbjgQE38DWiZKT7uyRhZUCUD3h9ZIsYo63NrQNoA+xkz9tub ++4cXQV6iJi/GqeBTcpkCDQRc/6jxARAA6399os7LWW0t8VwhEmjSj+1L14Ryh81Q +PEM15P1DrUXagxeLu7FGmecm7r3/0CA3m6szhpIv9qZ8ifk1KZPYkKQUeFxJvfrt +RfcfDew1Ynp4ansl4+jARv06GdOwkG7EiyVktSPyf0hGqLayeQhmqDl2cxPJuPO8 +JOSDISgk33rU94/QBWA2RRLSJtB3MZupY9Z6RvYMswyRbcYKWQlqZ09iZ4IDqeeO +pl/YuIWECl/99bpEEoqFD9tNlpaY+mDy2ihT6RWe+4uefbSWfFEjxpGd+x1ccCKK +qViYggEl0bw+S60RaS+5xEOG9wnuRrVRnVe9EbTYw2+xMdDsBaFl0qvLPY/66Bfe +D+iZpA/dN2BrsOLLWk7CJ9yCgoHxL185GMLbQNy687bCeVUGDIBF56OKzGBA7bJi +W6Z+XVkVX16li908TBnLy6DItYIqYFmSgGCAYviAmsq1v/dVOddpdAzDW4RfH5Fr +BNopYM92FswF8NtDN+VstwWAUQA2IDX3fYwPimIV+xG8ebgVALy7nWkAdsFGPoZk +UJa+x5Ln8WUOF37kMbNthd/uBelyeDZ2MU6/Eb+z54GOWijnw2l7bnlTysatJ88l +0dezmN0OQ8Yn3SaDjMKNVs+kifqVlAhSip3/eIA4/3P3Bp/RWtakzN9nV/fUVWgc +6hu6FzM6ozcAEQEAAbQlRGVyaWNrIFJldGhhbnMgPGdwZ0BkZXJpY2tyZXRoYW5z +Lm5sPokCVAQTAQoAPhYhBFpSiAeB91Vgi/gV/JEN60b1PqMSBQJc/6l5AhsDBQkS +zAMABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJEN60b1PqMSNQUP/2me0vxA +BXrqn9uUr/09Cz+HWio7W3b901alD1amIKS4W8cKs1vNe5qHEQKH5Nd/LlYKuyKu +agKWKrfLG7dguNAEVCya3zUqFiT71yh7BD8SvvUUTqgpTet4fHW8sr+rIYgvrXUV +Prb4U5DvzVfMOBBO1QBFM1ZS6J7A8EeVmmyysYc36CPoYb/CB6yMe7G1pnE9tqoo +A4hiHwfrb3t9TeSzKIbKTcuHtGgaxIosp/e3/eFZUi0zPVAQKLBA1rnUHejVb9cA +RZQSIFpLBbUaGGBJSjNualoQOWPnHCuTy9yF6++B4ToLWLB5r9nQu70cdod21tLt +p2BMpryKikpN6OIq5Kpj62uAGDu5b/lhhbQV5tp5gxabhIyfoCnLC6JMHwVsppIG +1XsDtcM4IaFl3bl5Ol0+G0vuNru21e9ydGMHR153hPl5fszWCkWQhHXw728+vIZX +4KI3uLbpJLDHWY8QGrwGpqPMcqObcepkskejpKZX2JtycoiOlntuMWfLLmL7S+Om +YnFkOy8G0TctD45wLlfWtJDzRr2p7TDYcQ3oHf0OQMHAQ4qUJXLYyxlPja4PWiMV +x5I9hLtXfJ4krKK/FJQDccFegBR8vhQVoQ0WFot/Vzo1qu488f0w0tAJDf16+w8W +FhYnIbwfndGMgfu/nkAZ/NAkD/bAul9NGKBctCVEZXJpY2sgUmV0aGFucyAoUEhQ +KSA8ZGVyaWNrQHBocC5uZXQ+iQJUBBMBCgA+FiEEWlKIB4H3VWCL+BX8kQ3rRvU+ +oxIFAlz/qWkCGwMFCRLMAwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQkQ3r +RvU+oxJxzhAAx8TGL+IaTYEzEICUk2wBTISoSMuoF5eZU4x3ZviA6yWG1OLn98uL +eCGjGCMFp1/OFGZfCe/QAVj7/eBZzPnvVj7JkUrPt4EpU0XOpVan9cVh9Yzds62H +Q19WRJOnMYO7xzZcempmUsZ5oAGivRsJ42UhvHi409T/ZpRdyOtiWXmdBXIRK9G3 +OuLBhchvFIhAbjfYbFD+gVzdGThU6xHXAfnLoFuyzYIpXzgrDYdmfkskLmTd4meK +oFVwcBnPWXxUJz1HNxPCI/dY8DUmWjqnb4qBU+JnLq16UmvEG2TdxpKivcoJH5la +IVnAEa2A3answ7WU5yF7n5b9PH9xFsPJpcUc7+rc2F3D6eY8WY+tSSzyKxuRYF7h +FeRifwSSjOMDp50kgUR2f/5gGRD8rDSKTtGq9pVDXtIPt2xEnY/SH6O8Mmusmk8/ +bS61t6HPjEZBGOO9LrYbVBcHCZAHRzWuFTIadyh+q330fXlCYHaHAZiN55TEDocj +1XxlhiLcyRGwDtMnc2IOjJUjyxAXwFwVqVOGCFtop33tj4TCKmMD+NSeLWmCmDLj +81t4r9+O2A2A8AhEMBCC7m9N6DlDdGMeOyzdDTUTp9cdbnLRc2qJNk8Q3C4/FI82 +SoJtOE0buvA9Jfz5GEU+V/ZEuMj+YYRCz6t3iFISCjxWlUTIH5Gw5A20KERlcmlj +ayBSZXRoYW5zIDxkZXJpY2tAZGVyaWNrcmV0aGFucy5ubD6JAlQEEwEKAD4WIQRa +UogHgfdVYIv4FfyRDetG9T6jEgUCXP+o8QIbAwUJEswDAAULCQgHAgYVCgkICwIE +FgIDAQIeAQIXgAAKCRCRDetG9T6jEo2yD/9PNspNKjiGq0u7CBxY4XrFXYNzGVUJ +UQxnCZk5o+K1zpU5VCV8XjXBrehwSe/17hAakl+5j+qFt/prORPHdXPyKyI+SM/O +muc+1AjOU3OPApwrpX0AsYMdDi5BtpXiJ8RGBNEsKJN+hCikpNkUXVlbluvcytCX +/je4TbnJdRFFSJCdP1YXAzrVbXCVFWgTU5g5SwPEpDxs9Qzvgg35PG/U5QiFSTCN +CokT1Hdf+S2a+h5nxSnqm2Vn80NyNBy9y4kBBCkU18NzR96cWxiccshR8qS+7Tg1 +EIBFFnheZkR2MQukfxCHliX40pGipyHE5Kf8huYgNRiHsfdYIfzYQx8lfvwRNq38 +QrMihIfcBZfl6z096J6Aj6XiA5VqcKDdD0gVw77KCkRyzBtGt6kSqStF9JYE9RjB +b375qPsvCVhW/alpScnRtJzVytDT9xeqe5F0V6/GhNvnlgBo3I2p+33gDb5TQOFw +oidV46lXlAYo0sAbXJPw9ZZrHE661HQ9T5CLtJ+cadITX3638Sc6XcsdbD+upU2V +1piQ9gUvgCNdYGjcYMXTfe4l7x+6pthE0lb7u+q/nyzTozez0xoCWygMJlETQXKn +s6EnhMi3phAuUnhso3fWAvwtOgHW9QaL+rx5npad3wGyRo9xqTmrE/El8FgALXY2 +XfggH/zQhIwNIbQxRGVyaWNrIFJldGhhbnMgKEdpdEh1YikgPGdpdGh1YkBkZXJp +Y2tyZXRoYW5zLm5sPokCVAQTAQoAPhYhBFpSiAeB91Vgi/gV/JEN60b1PqMSBQJc +/6lWAhsDBQkSzAMABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJEN60b1PqMS +jWUQALGWNAhYnuTTAIoKtwPsDab6kJV3TcBaiD5ezXXYX1WFEKMuLenYkCIzRuWO +FkZR8Rr8iJj7viCPWV5bniicsKNq4Af8YIXq8Qnam30gSkHo+jGpzZYnDdFDajYa +x7wVKMxUmPsC6RhfEk0JAFXhoqrFOrsuUw+bBC4LOvFzdufmS8klJq4krpYf1kp5 +CW6/DL38YRrmhq5djyiuA8iJPtylxcR+tXSmyGtgltCiHS4EdOOyG0hOsfkHPqIK +d5Tb7J+pMGimCp/9YV1NINbFpWIG3pF6sopMLU5YHh0Wq7SgfDVmkuPxUaEChTVz +S9y6k3DwhW7ZRpcSx9hDRwaHFw/eTuSdNH/7CpXKr0o/+zuvq+gpAHbPH1GfikoN +B87lSdfUdM95QTveQjS+6IFbQR/5pCEAraZ97EP02A2o45nn2bV/gOvZRqqPuJZQ +8rJ0ryqfxRWj/cRKrtt+k/n0dKQXJt/0g5s+IVgIHHoe5htzsXyjvxfpSL+vut8Y +ftr8lyCzGqFUZaX5zpsgwpy4FMf93ttPYiQuG/pVD4dSxc347xL03rB+0F6YIv6S +DKuA9Yy9bj2xRuJb5WmAlb67qwE7urGvgAkMXs3deVMWJ1oH5KB1t15mOU3Gund/ +q3WO21GQj7leALl4cV+oDXI+3z1idIMEWQWaoY2pT7PnUw5ruQINBFz/qPEBEACw +WHa7KtEtx2KKghel9yLwLx44LRnuKWLjGNrHqjIy6RSWBcOKVUnewtlzr8ugAAE3 +qMXtGd3vCLpEtqDJ4RghBrV9YVLArr9ba4clmSgr1iDKZE4xjR71rkwEcrQA9Iqa +faOQmTzj/MJoErYONat57CfArQs+Sd4SYJyLTZ+6HdSZVyM5tDooookToZaq/FHQ +1gKtQVuIkM7229JaVo+4xQn8N+nQCsKvbl/9ATxXoxzsf2UxDsOOW+Mi9qAmSDdD +pGIsWkFmvZnRPPnLXRkQiCcq703Zt/A5ake4JPLV3ZVvvzhvA37Qz8YE8Pud+jTL +bvZ6eKh/X3XYkUGjtbDUPfY61HTbiLKcDYmEbtD9bPa9gePhNPXVcpVKd+r9UQJA ++Oskt5zbNnOx1JCNIHKJ8s2ll62G4BcS76BnPSzCtGuDnW01xPj8Q5qEHwBcpKvW +j4sRx6DSxhieeMm3FZ2ScCarz2vNY3smDJSc2lOWYlFgQwwzqAsxqA7Lb5VmYuSR +KKEWB8XnQ2rcoAaUuCm8qU/zfa/yn97eZa9VKMMX9X7tcMAuYRD0fEmS9zjeX64h +/+tZdQnUq2Jtthz4qInNs/lSSYhCTC5H9FZ9hFe5X7LiYnTws5o6TXejtXxItaYF +/4Ltdsq/bT5gI/PNqP++iTQFjLDUUoG5S3U8/631+QARAQABiQI8BBgBCgAmFiEE +WlKIB4H3VWCL+BX8kQ3rRvU+oxIFAlz/qPECGwwFCRLMAwAACgkQkQ3rRvU+oxIW +mg/8CHGV74oqKrNf0ruUaHWfm1Lk++/CAp6uSZeMOkJST/4Nl5f2O3aPA7XVk4da +vvHA3IrS053LM7xUUb0FnarKMlKg//3f6Jtvavege6zfG3qj/s6fS/8EgoZkS3sy +wGHYzy299sgZKx7eF/pkVj/olgDQ/MpkM5scpDhY1rHjvhcR8sLM8O5DkOfyTaEi +RuphMRF9G21pu3kIPf4C/4tMN0TmNBzd+9L6n4iQooVsxzAohjlIQl6DjnGM5U7I +o3ufQqCuGOhJNdMPbuaH/ZtLxhnru1kZiHToPoGRDAW8YdjBnYIljW73RKPgMpkI +iL56DXSsb87qKBLZ3aBkjZO2NxT3GUPbCAYQ/b5JQ0Oeu2wbfYDZ8lr+rATED/9Z +6mrmPPgmVg+EmXpX3byBlfLvWuknZQgEFyZEiQUNWsPX1ML+VXUS9VkHYngZ6PDS +PREP+rN/XwsNaCKg76Dx3Vcxq+0Nj9c6qEPoiC4eQGa7iSc7ylHsYlQ9qLrwSBXm +OoGSnFkpToyEi33SA2FqZqLIvG1+z7sqiTiWbTdjZ8GShAwZDDnsbNUxue9YiYFN +UwEkJhcxkApawGhNtWkbDtTrvRRAHZ58CMDMRvpaKfGcpF+RlyRumTlEChpi+vNX +3Uyor2raD12YolIUGbjVdj3vYRkwdvoQ3cZJpZZLHyT9nDWZAg0EWxcHQgEQAJrY +yC/KKIzplzkKtuc6jCpUT2LMovFvUHp+OdCMN+K1SgveBhxsHgK10fx9Ki1Uvo2W +jhUAw1reQk/g06wiusJW0bZ2W5rKQKUPJH2JLEJcVdJAVdq2vGTdsVNkvia8O0XX +zN0tGb2juyjX1HPXUJ5jRBsiPrppeK6+NEizQmj4WYBF6wfsEalJdQ8g7nSR4p9s +HdotI+6ug6hxStcjK/wwFLRqpYwZQLDbRJVVMDAXIVLmmg8CP4VarIsF+PEv9ioC +EaT2yynFVYShmbU2XmUJSlatXaHhS3/C6IkKtOWZdU2Z2Yg0OyAUssikXYDV8bNO +dlSq+0gz+xwmglKGYwMxs1S+CtSnSwbuwmLvN2VMRWDCN4CLYRezmkNW03U2OXRx +rME6qlk82VNcLjpJnc1AVWBF/Wi4K+sG32e+uoTa7vZD4p5YmfgMRwe3sa6KCNgb +ufin5idIttHB/ZOZdyIMvxMqEBkjgCOHArLDFLMeMe364uBt7c2MLCPH6+v584Rd +rOz+Yl8AvKg3+izX6lwXE2VrC/6fkXlW7Z0+gES8YmNd++si5JOjDGqQhJ6h/r9u +ZVGLYk1LpgExgHxGhG1WXISIrGBd0kqFdkHYAIgTZ929grdv4tFpz4+rSBxTBlwd +PCKselkX3b0S5hSqAGsyFL/UT+l7h5vlLvTJe6W5ABEBAAG0IUNocmlzdG9waCBN +LiBCZWNrZXIgPGNtYkBwaHAubmV0PokCVAQTAQgAPhYhBMuvafFzoP6ktTf0cNZs +lZMRi8y2BQJbFwdCAhsDBQkHhM4ABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ +ENZslZMRi8y2o4MP/14vXeLNCNNtnhpbknRUVXrORcKZsDTyTHLx4BJvae9DsB0G +lzGI4xlkWFXRW9o1/3xG/sHpg1hQ2o5qAKPN8IAJBRm+O/cbyYxX5Jowy1l+vipt +93ZS9h+L2nEWk+hBT6hnf23u5po5JKPCEWgAqZxCnFivP5/STND9CZ5fXlTMXGYR +mehI/uGQ1k8qXMLVCG75mMxIbtXVnl0NIoq/mnT8kNWs2y17EKrbhX6tKVdOzsQI +SZ1CN0+SJeYrfCjvlVnCFQS/wG3OfmfsXIMtXR02sLffhai54jIM/DndaGrsNxay +GqScMVMnhkU8Tk1M92fwph3JaMlT7mik+fndWkQZtKAuu9j7CNmFhd19UKPbx+Fp +LIEccYyn0jh0Rngc8Js3ZhIAjaCNpSjJTIuWcNwRdks0hHSuvsK32C+YpakF1G7O +WWFSSy/p7VGXNR6R/sZgn7oC0qd954BGyaMhxmM7fezhcFYCSNG5D+jG2Ri5KtcF +Jcuw4tKXDxT1wg0pmk0tLH+ZNPw307Wdzrjqpz5TrYzLTiycxbl+uo4btKe742rl +uSXVaqx5bVpx6o1i42lGevCjq/n6oBbM78n8gTc4vPrdPjRYONviTplNipLol47h +rPG2yakoe0PqYKFLm7CzHbL64a3ZCK9K/XWth8OUJbDUGWRHnVZ5tpxQqYR2mQMu +BE9mqaARCACFSqcGmNunkjQQu3X+yXnTmFeEkvM4JXZTOBdR8aEevNGmmFEfyvja +DjWi9hcwp4E/lYtC+P7VsVjM1OSX9eq0jC/lGL0ZyRXek+mNy0n5H1NSuTpf9Y18 +LMqhc4G+RU+LcNiZ9K0DJuOOvNLPxW7OHZguxb3wdKPXNVa2jyRfJAKm2uaJJMT1 +mTmFT9a0Q8SKr+mUrrJkuG0H2o6SzrKt8Wwoint1eh67zVsJaJtQFchnEZnlawIc +qP2yC4nLGR3MkubowxoEBYCZet18aHVVRbvpG2Qtob8Lu5xrsGbmXymTkHTdpvkf +cJFADa8MzOL90zOxXwbGfbIZOlh5En8jAQCXlfnx2eQL3BSW/6XANa51dbWiEp1d +1BAkpGKtZvlk0Qf+M9WAi+9aXMe3xP5krxtgnRNUf2WN6Zdy2MxL1RRJCFbytLhl +0ronC49BsGYVGshdEH8xhBbiIOJKuVZ/DTl9bEm7P9c7CC7iJyVCkhUAhouH6xzZ +QNLR+RU+QebYzXypVfl99Qk7EdMmr/WAZCHLuvanyqepC5EBsa3VnAfQemSNoBeG +BKWWLiOsPjvS72+y1z4RUMAfXHn4l/sFMt8zt7/74AmJPwZquV41p4mPO12V4+xP +yc6RsB84sfsk2QVivU8w8AkvGQeYjXoz7Iwao95+fWteVzZ36KRQvUckP8pGjHlD +XnHxJ0HI1I/kOBZSjwRwUf0dd73y6erPhbLk+gf+NdI3H9KGJBzG5/rVyWKwUeQ9 +d5ud4jTJRkQGvAP5pg76vEa9dogbpe4W5Z+0BfbiJSnQmQWSHiZddj/t33ptbup4 +4Ck6ZTgdlmFYMLF1hR47PIZTDKEREuKYGci/vq8snZvEJP9YCw/TtiHcMdrMKcY/ ++Lp8lQO0GHLPB9glVhnC0db6l1Xpg1CMI8/RozBMcij30EgATggC/y2zbiqAFoS9 +FN9nXPbe4phStqABEyeZ+nXudt7PUYTjVgcrqo8bHZCisBobWC7OnKyUzxVxzUeu +PkIfmZuzkLaMw2McQdvwwsNvQ0DzaLP30c1Xsm/7EIYJcOWpzlVJ5QrdmE0/BbQy +U3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2QGdtYWlsLmNv +bT6IegQTEQgAIgUCT2aqtAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ +L3lWvF2gS12XMwD9HuRIolSwIK77u8EY461y2u6sbX36n5/uo/LDQuxoi3sA/0Mv +pnvzOhv9IufvvsZEj3E7i3h+iD5648YMwfTFCij+tCtTdGFuaXNsYXYgTWFseXNo +ZXYgKFBIUCBrZXkpIDxzdGFzQHBocC5uZXQ+iHoEExEIACIFAk9mqaACGwMGCwkI +BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEC95VrxdoEtdhdsA/1qQb5RZbh6PlIVe +HCFFC3fMvy56wJ1KC0knhphyZdcGAP9bQFhWGbxylFn7xmnbJ2bpa+0YfzRWwbgm +eISoZItQ1bQ1U3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2 +QHN1Z2FyY3JtLmNvbT6IegQTEQgAIgUCT2aqnQIbAwYLCQgHAwIGFQgCCQoLBBYC +AwECHgECF4AACgkQL3lWvF2gS11roQD/S/f3M7YgChaM8SAt79iAPvLieplUBgYg +uOJjHc16QA0A/Am0mjKmNq3W5P0uA/vB+liCEcMLdcZiOIsNI44eHj5PuQINBE9m +qaAQCADfZPMpjZkkGZj3BY/7ApoLq4mwqzbh+CpLXwNn20tFNvSXfb8RdeXvVEb7 +Scx+W9qYpiaun2iXJgCVH8fgpZpR856ulT1q6uCG++CXubEvip/eJkZl93/84h04 +KQJwsgOrAh0Om3OePRn8Pr+++0LNS0EL8uX/YHeTOGOnnmTqYTeySBVFdov6L4me +pddfjekicKQqhL7mZh/xuq29JijT0uNNX8v4vDWQDu5dlAcdd+uB3gcXMD/PginD +11zp+6wtrWCm/+yBqpvDwXQX5PGUnwvbRfl7Ay3MmwmoXiecZMg0dwTSc7e0lhB4 +HGRHZdBMJB4rHUVGdzqujK/ctOvrAAMFB/0Utb76Qe6sCMlHxVAmeE/fbo7Pi05b +tZ/x01r67dHfaMSP0riCKJ7M0OW+jAXtu9+z/BVnYisW67WWfxl2cS5tZDgiHgJA +RXWUOO72+sScHP8KQmTl1z16gyKbwY3SmyBkwcpOL35nhUWNLy93syPoY6sZUTik +r2bZYukHDQ33XBPs4e6MbWKfsa9qaVmnlOF3k5UqChjutfHaEa4Q7VP4wBIpphHB +i9MI16oJIzzBPbGl2uoedjwiZ6QeQZnSuOVYZxU2d3lRA8PrtfFN1VSlpEm/VcAv +tieHUYWHN0wOu+cp3Slr5XJVNjTjJhl28SlinMME54mKAGf2Ldr/dRwXiGEEGBEI +AAkFAk9mqaACGwwACgkQL3lWvF2gS126EQD/VVd3FgjLKglClRQPzdfU847tqDK4 +zJjbmRv5vLLwoE0A+wbrQs7jVGU3NrS0AIl5vUmewpp2BKzSkepy23nWmejwmQEN +BFhJm64BCAC/9u6NdeqwFuJT5TNbKVrlVnmHihg96XSYGwl8UPiiYuO3JxXZaduB +w0955FOc6X2cAoOJrRYv1zZO10nWS3n5CfjUn9rLZ1dnmL87+gZcOUfejBo2EmLI +VM1yTsLZvigxIhjCUdiQDsUNhN0h1QMwprKAugyhtS4UI9DepsEt9KaqVQ4Jw1M6 +N0b/enkQYs+PHk5TbWUqwdvuGDVeZI2poBo2SL5igUfe2EAOZLZo0CY+tCsge1hu ++fYxckEF4C8SltQqiXnk5Z/SvqhuRV0lvOYBshwun+6qgC5UJ8qHsfW7pK+Qewfx +nsAsW6gbuKorluCiRg2hCIwK3fAJ0SLHABEBAAG0HUpvZSBXYXRraW5zIDxrcmFr +am9lQHBocC5uZXQ+iQE3BBMBCAAhBQJYSZuuAhsDBQsJCAcDBRUKCQgLBRYCAwEA +Ah4BAheAAAoJEPm6Ctoxy9ie5VAIALXzzB78e3Fe0J83zOfj7VBHRoIsljdnlOPi +rIciZquOoeOOMpSdwgHA8sdlFxzspEDyN4X1YU2zJ5emE4x1bNSY8tI9h7Xflq6k +GJ3zlYa5SQ9w97Z0Mnas0j7wbJGeajPmbb6ZFfWY83rowHUuIujql+RN0Av2MKxE +XXeydOdZGImvzCoNltHWlmoHxI9+oerPOQ+04RxhFnCvwv5HyiN29O8sn08F92wX +RrKzLcudXJeUZgQIVmv5spY84SMldv/lSr18s3lPlvQDafPjbzUs7Q6dJFiiGdW+ +sOW3MntJYAe9n8X2tly5owMs58N8BNThMJoLhtIm1MNZzoGnMBa5AQ0EWEmbrgEI +AOF4kVuofaESBahVCR4jWl0wWbiv3RNOUb/7Vm1TXeH8kmkLkIPGdiDSrc/yENi9 +i9I/e+7fzV+NY4B0IzPewUfLUrbrUR43LRBhumNAkpDEaXYQnz+MGYIXj/2pWJoV +s0tJMauspCJK9+iTbFPENE7nllQb0bI1FZ2nSgCdw3u47o7Dc3UKh0xWrC9G18BJ +SZbPn9eUZ0ioDZaVCnxvJfS+MbSj9KJfG6xgngK/khSrMPiyBMXs1mSXI+pZSMFX +TRl+U9vIN9qkdsP1vgin7CgwQa2V0MHPdQap7NszbpG0dduxRkvgM7uK2Y7QCviD +q8eVbC8fqsAvRe+UDIXbA3sAEQEAAYkBHwQYAQgACQUCWEmbrgIbDAAKCRD5ugra +McvYnoIuB/9cHKVJhmGe105G0XeYNVq+X0yzSugMfAwVGJOIY4bdkbxSOj67eAc1 +xTH6wbx7KHHhDfDVN/5KHxJSm+uJXE6hi62dY++syPdoqhv/1AMD0YKpx62Erm9z +qJ3/k5pCPmzFLEniQ48bdZFxaVUZBvZ4c4cq7aE5kY/WfSN/WNOJ79zSo+vT2Rnt +uFY24Rkplwo+aiq/gEdwKvuOzVDc07G+idozfWIYAWXRgiGDEgUgmPkNbpYLoM1M +PKTTkBVMjYvEESdkiPjHHcBugV5kpsuyWm6jtbgR2Jt84gq8+qv9gVgkT0xo+Jf/ +9X7so8CXqtI9P1keQ51gXM3lQFXkp7FQuQENBFhJnJYBCAC/Q4RbdpAwRval9S6d +oIVKvPu27haj4Irppgz4c0NKtnGY6MkYOXwMJmd1KGnV4kU+zJAXCj+4fo0nUnPw +Ml+vkr6X3KtOOMr9Bb5T1wnj2YieYpA0oEf4Jnic8qQZKz6SV2aZxB/FgS+orOC1 +mDv1xmSPuHfCZuH2JtHA+4y+3XqYt0ZusS31vSsv63HiUqt0c33BMrTdgDmP0ynt +DnS1Qb7cgwhMe6AVXHHNJDZSNbCWkwu1ASHfrTRUt1ijEUZocGBIEmMN+vdyU4Nd +5aF/4fiQRoNOq3WLjknaKM+uAJ62AguDzuEkn3z6Ei2rlg3KN/9L3Mzi7D7gdVwh +seytABEBAAGJAR8EGAEIAAkFAlhJnJYCGyAACgkQ+boK2jHL2J7hpgf9EDjp0U9F +gpmW0JVKOshmkdJIoF0km4YBKn5KLjVTmPNP2js3gD4PMkfuXMUR2/uDQJvEpgL/ +DqbKqt8TgupxGsMmQ3mYgnaiVwDH0yNSz6rpzYSsvnZxaIyKjpp963RfQqAtg42P +F3Dje8vlMT7lo7Pb8naUr+bu7PaIsPZL1Bl0lGMymAKS/AUZ6B1eUIy7Qg+/Qcl9 +5+f/4nnQuxTpA5kqcibAAWpM/xbxbpKoydbJZG0opxgai9hvy7hOf0Rlep7cdISu +P5YcAdGWYSHq5t4RJplGLFlBD4hOAzkTi8KmtjriLEIp7fMG8QCYYge3O32KK6BS +dWmgYjuINvO0LJkCDQRgXeS5ARAAznHoM4UlDvg6j6UEk0clROZhxPXQIaXsVLwJ +sk92+ayaDoFF6SPv1cymtreNIJHHZIP7h2WzBk0ION377bGNXg99rr3iStKzJ7QS +DZzmn+4w0WvUHSql1skCGzkjP8ssiLXOp9phQuK2R2jVNUMGQjxhGLeD04E5johY ++jR38ljCFMyE2Gv+xJLhXFd7YqnrvBptnBpZRYGkNPf93YS825bLYIHeH9QO8++W +qBpjMusb8Bc3N2QMta8V3ReUAqXbPrr1l5K6TSaURmSeHkfDuNizgyRKYERpOCwP +o72bp1tILSTiCpgBn19iEpNvGqwkddvXcWoRxynn1EvEHNs0yuvyPwaf2TFXPzQt +6LOibq0CQ/yn3+GpoTWgWEVg/jZ+30forWdxzwR9sn9J8y9HIMBrd+xm0Fxqkbx3 +MJqAAWPZt1mVQtSJnTkuk98zK1AuAE8g/6rVLOjbscldtgtYy0bRqrtmDHQMPrNR +ulekN2NEq5UasNDW+FINIDMCmXVQlPttqhplSeOA+30q+wMiGZkqwuIuiKBfSNKX +KWWHSCJoDgZ5kpsDiIp+f5NDqoN4GVmQJ9mFeqqVZ90Y1c/xpBZJpd9U53g4vmmS +Ur5sqW7045Gh/8wC8CqXEiHVWWJZpVn1qaxvFGN1nN1yaus0WIxvWAHYGS8x/uwe +8q/1UfMAEQEAAbQhU2VyZ2V5IFBhbnRlbGVldiA8c2VyZ2V5QHBocC5uZXQ+iQJX +BBMBCABBAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAhkBFiEE5gkT5N8gmQfY +4w2WZZqXyc8qeVoFAmJrslYFCRDtclwACgkQZZqXyc8qeVqENhAAglRrXTkxTEFh +e3KZwGzRUhszL/XX3xO2jmnFWoRHETLruTuTjYWTJSsHl41yY5lyYGuF8WYn3KKZ +6CRIogJnenm9aHXh361wGqyooPx6gh17UxQXNAAxICHsPRKx4ygoqYN7gQMb0fJ3 +Qlf8Q5gCA3WRjO7oZJWL7ZOvI4Myt7c2Mg83rPnkCoY0HV3x4KdjKlfmnrrsvHLB +VryVfwyQ01xTHg8AJvbQfHzKh2QzpRdY6ZfhW10tzXTfznnvC7Y2vseYkzDCOZVZ +px6Xpsetlvjtsgh1HXeE18SOmn76Sl5xw47F2aGaC1NYmMFbQO1xiGUws381jLxb +F7V6ftxrHzhRWbXl2JOF4KBft5vlUVA13JMnd9x3NlmQyHuDymFPko8VfRp/y7av +V88D2/VIC6IurhUZyaPa+MwEynlOHtJivZmcsuTXZee7R17BHfq9kmoodJL9G19y +8ViPGm+iVqTghVmPt51VFyauWh9xrbHb/11KpPjO+teiyLHQ2Wy2e/PUKxPZjhLw +A57PcCI7fFxXHf/+ZO/zjP+X/xitPqfXb+dbkp7sqrV9tUrRuf2PosbtDLiu4yto +EpkNB8KFNrs5VF7xciFoBB//kFIDNUKH5aLwY6fuXMCG+wiJdLKjw6EW2llgKrYI +kSBXiP1HCLLNlqh1GPmyGW7YqUgPk7+0KFNlcmdleSBQYW50ZWxlZXYgPHNlcmdl +eUBzLXBhbnRlbGVldi5ydT6JAlQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwEC +HgECF4AWIQTmCRPk3yCZB9jjDZZlmpfJzyp5WgUCYmuyVgUJEO1yXAAKCRBlmpfJ +zyp5Wni0D/93RGKQjWMUseorSyJDJ1Yn3VouznuwE6iBnyDuWeLmfRNCQr9Agx8u +ADEO/DRuu8yuV0p4KAhh3bF1MPYfOe3bV06lSqRu8AwAUiUAvoOobuLCuu7aRZbv +GXPiBrRnNnjY0xUnIjHZQmqHGPnoVlVbrhHsOyr3VXxDMSSC0ZN4K4as7F6ND2nj +6o0Sv5cf8GBw1u9ueQC4myfEN8n/YfiznRGtKh9cbHUj+xuebdZAQqBrBW0/LDyz +cxTLas7ok4EILEzDTnosDqz0VCMOMlUDjubL2dPmoIzhn9IpJRtIXkDAuyxihQMy +iBbcVa1eoUoMB7e8tnwOUb0QUdM2Rui+W1JD9P/bcRenOh7ElYoQDqV9jMqXpebh +w4J6qunhmzMxuNDKDpp2lnBayAja/rmS2NRXwJa9TZeLMoqlxd+vqwNnud0FXD6d +p5b/SEfoo1rVFSDvsXKQBSmeTcFhETvqEKBjZKrlu1CuMfIzvHs5GLP5wumPnCdw +Irj0u+mr5z+O/0gL28lSw2pss8rfJkjLJ8qoIIc+or6qlhPNdItdNwHxQow6JDU3 +dLs6QnC++FTeaRbL3iOet8Vop2yKALYD7xR3dfDX2IJMi25OvVeLP4dKJw/KRInd +txMQylyjlwWc59QcOe8/2RQsckpVC0LOfQTBU3WPVV06l/JdqWoZi7QtU2VyZ2V5 +IFBhbnRlbGVldiA8c2VyZ2V5QHNlcmdleXBhbnRlbGVldi5jb20+iQJUBBMBCAA+ +AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE5gkT5N8gmQfY4w2WZZqXyc8q +eVoFAmJrslYFCRDtclwACgkQZZqXyc8qeVpUQxAAnDw/w62tH9B1uKqrtGWHqK7J +kasiNvqW9bbF1Oai5+1VGXm8kWi5Ld5KvxN3pp8QdjH7Z9zlvWMxw1kHI3Mx7ZCj +633lPNiWtd0xeb7rch1Ek5/Uasy+X7cfjuDmdB+XKrLJ8qYHZ5AQOXGthtrNw6p6 +bYWT+3tmId7zxBB4OR7xOxrB9XMje9xH6eMQCZbRUnRVbTQ62fMSI8PYlJ55dD2u +mMRSrsuQLC07/U+soQD/PNqOX1tY6ok1KSquJfxgoymViIwYFEGlDw3ViEjYRtKq +CvxlDaUf1n2iTHcmBbfWxvjRksfoNEV2Dlpp9zhFYGuSe39aZF4HIjnR2OBTERlh +hoQw3H2lgU11WpP4jJVm6zzcFHrt+9VuKTJGWgx6tEahW85F+XjwnFKnjh2T8+aq +4wEpDqw66e+Q+WYaOlHDBGjpgNxPPNy2UAmPs4fR/Z9+FFCKpWto7O6Z6vQG9LmD +lXuRfk4qx96gMyK6X262pRpxA+pYC2yWsVN3lE7tdy/8YFHx9o6muJrwwUuIPqwa +o+CdkHG3P3451BIp7bthzfEBiRKZDUhQI7ll0NA5o4nZe9dA83FWcvljHB5gDXl2 +ezEl17xsFFfkQuSq/z81QE5AsCVGPnHplNxP/r6fqFDhdTsbyEiihBdUB/aeuJMh +NHszyeUrFc+J84ughPm5Ag0EYF3kuQEQAJA4YiAQSWtR5pdzAd8gw4Oyb1WwwAOg +YvcOV3sptLKiHTOtt1Njv0UJc832V7IN3+GuumY6LdbdWsRWV1zcOqfffZGbROcZ +NdEHKus35lAzOsq5ZmrZgiJrvppVka1u2Km2uw6YFieZuBVxk6dPDafJzSYiAmhu +x35Ox7WSI8zK/eX32k2l7Iki2nbz9KNpJz9HLwSz1kCjFPPQAyPMYfNJpuqJrJ0m +8tn5blHroEijaCsSanaKlglg+W69GKZN1MhvYFHKCVMkJgtoFFLPYNZLMnqv8Rpa +03CfZe3OSNom8n60a2n1shOWYP75SiwX357EpCK1ftHOERY45bXkZuhIoOpVZl2z +l230qKSMrxvSGJm4GObUV/2jL6TnlHG6sfVn7LqdTGGO7YeQf10lyUArEYNpNZzJ +ex4KvTFa5pCgrl9SL1gZgIpa8ZQKnZXakgPvP2ScUMmqXQ7cPHnFdDSBRRtrQsaH +ZyXJeUVWURrDuIDY0FWVuh6d5LaXAy7CZKTYZ7B/MivYZgb3v/ygX7ac29CNd1u2 +yTCaM+q4OdhQ2zvfTWZiyZfTfOZgjzSEr4WhxTiynMhaUTp7ntnohEfDi7/zNuJ/ +9p76dUlsJIb/ojOhSE9cghacV418QiEiTNaGJkzPXuVo99I2QL2HIMA/SmP0xs0m +aNVvwT4riEIlABEBAAGJAjwEGAEIACYWIQTmCRPk3yCZB9jjDZZlmpfJzyp5WgUC +YF3kuQIbDAUJB4YfXAAKCRBlmpfJzyp5WupsD/9w/5GDNp5L6FyzDvCtKufWO7n9 +0hN8GdlR8g3f12iozn10BRMiuUamWCPpm7/8SOfPl6FZX/ct51M8lEQmgUWj7b02 +6cum/GNwEcPMU+cAWA1WmNMc5R44nRVTZwydTCjb8J+vFeKmXV9Xccxwfj61HmRu +WFaBgksNWruGKhrmD9FbhOQHmPaT+nP5gu7EriwCe4s5Gs+iDYiFu4XCXET12NjX +cgkcM0mN+lACO2VZynq76StXl6y4acEm2wYEuP6IfrHbvdKEG99nSUVU2Wf509fA +kek7cb7LuaxbfEOG1ZFx4g2T7668/ZDgqNaXtw31zm9qETJRd6GeofjITQtyGb1U +xGNFiutiORq33rhnTAb3CPgRaUPqa7+22VTlP42ZUC+gxH0Nk9njXNsYmD9XSsKK +h+oXG/I9zonbPPMT3y8XjCD2QYAi8scESSFvAoUof0fb6PT/hzZhZLe0y8vgFUJu +UFf4Jnb8CZ00t7Q7D1AQO1l9qTLGG0BA81skHa5kgIKRsOZ2h6s/oXIxiulbGFv2 +x+RUHjin1DxOBFT6SHF40BP/yc6yfLCZDyEw+CPHCKzKNg0nrLKzg75A6KLQucAs +A9o8ys28FYxk4LZui1kyGpktFLIQBw5PbZ3XcYDw/Mnhc120ESQu7AaBXC3AUSax +erq5RAYJplqOAGyLWJkCDQRgZSYzARAAtsGzvzyAM1UgKdpJOzF5s6F1UUj8hG54 +zeqpu+56877oIf23j2bnBupW1zMUbAo+BkvcS3BmaEkGYU/9hiXcvmlLe83+rMpq +SVE3ID3RFZn+bk8Vp0JAYNAXZuofMcL4E2Va3X8Mu3+43wLBklysxJiXydi+ix5g +DCNyPnLHT6igR0s4+oWI2WHMF0qdkwCEpKSiplfZKZGN2Sg6CQnQ2+UOm88uMSvg +SO1xWyDC1ghJH6VGrBl5T6Ff/ar1lq90hrZyoxOVY6FYAOYqoDFMpsndi/c9wasv +PpirZncV8l4NztKOvMRvaO6XI6Gr1W0VoqhPU6mXMGq/uNiqC+gXIVmJTL3mfUTu +l/rpqvcBiY0dxvfTxHB7RelqJjFxoni6m1M/1ltBoqC9+75KijGWGdLciE4iWX+2 +ptieE4oMqvJJNRxuq5km10kjgXCF1r/mlZ50zNeByo7G3+o8fdVXf+eMg+4cqM8B +LrW+Pgs/zt0fWd1eqfzn3JwEy1wnQ4NYWDY1qM+k2XJcRk6WSae03r6hAYakPLmv +0Fxyches2t1RWFyOAtl7Wlel+nOx9kr0aYbJ51WRDFkgbGXnFvrvd9XmpkIs8+XZ +llu4wrUKg/63Mm6qPj3rbM1vg67MYN8xfXTzNx/htV3OESC9SuD4Ua66Zfh8GbbD +oFIiSzIK1z8AEQEAAbQjUGllcnJpY2sgQ2hhcnJvbiA8cGllcnJpY2tAcGhwLm5l +dD6JAk4EEwEIADgWIQQRmMARdZNJel7FwZkoavH5iXRp3AUCYnCdvQIbAwULCQgH +AgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAoavH5iXRp3IY5D/4mMKbN8VdyPyiSkgTV +B3Zu6GzLl1tapw2fzlzYeS9vE9D8vF03UshdE9hKQb0qtMokblaU1cBPGrKWWPqv +x0sJbSAZx69YKfZAiJWfHsVgvATwfMgcqlpdGHqRnEEn8fKta0+VL3GKwXW/aHAn +dJ6JLT5qJ2qqMoa8VqhT5CcHo7TJ3CfMXDw7dI5TiE/MOIPuRUEwyw2JXqM2GTqS +pX1dz/PMPP/UHM2BMgT17TSSL6g69JhHNVcruYypQHNxFOBWqg5lP8iXutqS/SJ6 +FJEWfKX7gLyfdA/Zj051ttqyE1i/liVfLti8Q4eZX3+/tbQn68T3jtQiYyS/Tjq9 +/8t50t1B74FXCe8/wlScBpTazngJTxkDFY9kNScYgaCfwda9/ZF9TmhJ/rGoqpj+ +IH1nWHyU6kvLylngrr5/gNqgwmc0g4/n2twYcbWBgsTX8ATLSoxdRF89hK9fnJSF +S6pXp3LRMrMrkiHg/sFuDkiEiK8At3s0eMFpyBgAmDJuiGotNtJPvNeMI6gAEjNK +lMf08QXbygqhhzO1BFYPHXg8QwcUItXieX2hdkMySXmVLgBQ/IaSWAQIx4iO9uKI +MklGlzbE7ZkSMLMrU7pnWBXJOu7N9aYsoLCx7rc/9C8deso8sbQvkzwu55rMyiTe +14JvH6tFOVQrpjLMByXnhzFaq7kCDQRgZSYzARAA7Zul4lU0CKuVKTVF6Wrncrrj +BI5BNYSO4cv4+Di/nb/F24yb97SjTh53CVHfnYsVwRwa4lmVJTWK3MbRDCW8T7OI +8PQrmWnyuk57e5+nGyhhv0U5z8Lwy/ozhqftZ92gR7qQmguvUQXJT9Hr2DU/a86g +MuDSHPQBSxAh8uKW3QUChM/QOukzVJW1ekYo4SFgo7vb71a0IMBPTNl1l0/0bpCZ +Jp8MFopRkwpNv2fQUXM2clEunnQ9YKeuhQapaRBefNj5y/u6ALY8MGPDQWIF5EJk +xML704+IY9VU7H/8oGXPDdkzYtrF+n32BWkiRXeMcXyk9AyHVHJCNtJvs8SzMHlW +Tr2+pBVed/8Cgw//S3ygqfJr7360lI5a5CrTbSb28UI0QIYUU6RmhdIwzpkRFz5R +5+a/wT7BcpV9uBSbdlrBZ2tjkbd4KLJtj5F8t6ea/1tVXasIEVRcQIles8xDwFKa +WP1Hl8Bla21zLCG9aBbaT4G09AruLY96T1bHvO3FvW1JQXE5e11tyoZV7hMDoaOo +3FCM6p6OrOObTzird7S/XqSBVhDeV/mOQceD7eKXnMGMT3r6rvfckyWDpbNLqnXn +vU8zyLnSG3C8rGb0B/CfBHzObq6lEHAjplzyY3mkprXk3TpQp9duH3l3epudHWTn +nuA6aGmSzscREVCYxucAEQEAAYkCNgQYAQgAIAIbDBYhBBGYwBF1k0l6XsXBmShq +8fmJdGncBQJib+7rAAoJEChq8fmJdGncdxMP/RRqJrNUEM5Rg/8ZWkArMMhAzZZh +ZbO37eOLLPUYHzBCQmU2/uXv54g1xhxYpGal9mI3myKNsxdIkTe4PfRJee4KG58R +T6MSUx8/vWjTNDJNPusoRFnpCa8znjw6Mbe2ZJPzRmkEPrb0Cd5weGTqs/DOh2i4 +9ErH9IEE8Dqegl2fybJzcWPUFQkMXkIEhovpIFKt5HSdcWyGnuGaxhzjoHWuGCKP +RztiIU2WNailldhRwLp6tVpYVWxmxT7l15MzigWXuYiuS4eG0ATuQHUxs4PJjL1K ++g2kubxH54hhY3OaXT2olh4YLWpPcqZa0p0lXPRiUXb6pfJdJUwxpGxnUqcPvtA3 +tktM67OwNTi2mwE8WKGKFI3DHtkNG3y5hn/OuHhveTySu4DFAEFvlgDwJAhrPTR4 +uMuzB0hCcAIm82EpitV07aD1s8zZ0DIruHoZ2SWVVNTBlfreBP+dAgIG5U5HRdBU +HPS4mUQBCHmmuahe4IHPtQi/6NHgypW9vliDd6TFGI6jje4gk0X/0jtJipEkX9Be +FTQXD46DnUQp555g2lfDTf415ln5VfEGhkWvS7K09uQ49/NfENK+rLG6w8pWi61h +CrmdfU0NU6TQBB/ZTwprTR1irAT1NRhR/k9glMuJDON41ieS2ZYv58KcXSCMmqGk +vDUrjyK1dYOElF2LmQINBGMOFOMBEADgKtI+ygTCen92n3GGTQy/rqhbH1hss+qZ +J5rYcp8Uv5rkEp85jEhrZF2nWUiiCc+WYF17t1C1pPxh8ceONbCGnV4hZxC+7VCL +uFT6FHYE7D25zRtig8YnRWxahrpuqfk0W/yfajCbU+VbCRddmmLqzb0Ombj0EbEO +47uRFRIk584dqYqfxYG8lxtxX1YSf4aUu+R/YoRd1M/I9Nq7w57nrIzYc2nFlwPA +j77Oke8CBZpXFg5pKWOmaiOkh0jlFCNIrjyFC60WomjfOeoHsKyX6Z/Zr3HTewDR +sFl5XkHjpZye8BZ+0i1ZAhAraNdWTi19Z5XJVoIVHs62a5tzfWpmbY7S4HHUKJfs +91RLGinBXJ6IztmAvmgiwuH8nyA8fJKQ0B5v1+J5H2VdWd6QAuRZUa2LyEzVrPxk +FL8XRoeOxAHRNHAj7k2Shz3vGdcgQ7AKvXjbnK3rYH9eAdEKL7lWJPoipAhB+H49 +dftxhH6fsLaLW2UdLbl1iiwHH5ndh2KAZBqEShJuTYSQ/M+0hBFK+9o3a9r2ly0x +Dhs3gf13sfMD20em/ExSrdj08umqDpKUijpe4Skxv8jknGyik97vBwmbqswofu+/ +yPvrMpJz2haK2w/8IJCa6ItOmZ3Jk1w4qO5t8RynJ9MLvp6QfNPzmvJZ1U0cyml+ +QwdO77C/gwARAQABtCZHYWJyaWVsIENhcnVzbyA8Y2FydXNvZ2FicmllbEBwaHAu +bmV0PokCVwQTAQgAQRYhBCwWx2Xb5UoIgTDxvEubX2ALVfO0BQJjDhTjAhsDBQkD +wmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEEubX2ALVfO0Tf0P/ilP ++QfJNlvRzT90nD7gL3elOKCL4FI5NOtU/8ehi92nWAtw/w1/dE6lprexO/uqdnEb +gAlbwShZTwHHce4K/bT+ETAz2+NU50KqLfXcSn+SuXieSe//x5j2WZHyaOBFVoCg +v1IW9TLxsmuymEnbD+tMAxfgQorjUChT0oZebjZxTl6shYan05TOFJq9Mqmmyfiu +YGbq7D+d+Y2gYuK2Gay+KEb+1c3f1G5/lhh4cQGLVGMv03YTRVkArBb0psbkLzKW +7t3D/zOttdCQ96a/pxai4Y10/ezWCYHKhWqsErdRTRr/XdTRpPjC638GpDlfGaq7 +1F9A4Qrd79DtfeQanZl7DDRSt4p+OjK9yx+NX8cM4DP1PGKnQ4J3UG/IZKXSV48t +JKjnjNI8kDxqvl3DnTWN4qfX8hl2X0IP6HFHS6qnnH/TLZBdhwLovYZuRGRxSSmm +jUdWN2emNqQbKKn3KUqY1G8H01vF8o0Y8LsHgyEaLHmGj08mCpHeXCGCQsz5jvXU +j8k9WDB99SIQBLCWTteAZ3ruzRpx7zB/EPHeZNYznybaP4Es2O5BmA3HKdiGwY/c +ufrIycqwaRPXAhjVxHcJTN2X1I+GWhFmNizQwWplDTJywcMVpklaZDQ/O6tER6IX +p3bVRCJ3qTGUDdzUBcwo6FX4i2VcMPxwDCLyNlIbuQINBGMOFOMBEADIuvI9EXIv +tY3yrixE3kqP7A+fSZ/QbYAE13L3gDcdd+CXOq+gy6nqs5l6vB0n0KpANbAUv5RC +AIt/a4M06vzC4QyOSejeb3/b1/ELDoOdTvqN4QR1YusGvf/hyA5t3UY5GL4Tt1wG +RBZYlbn8fMf9BcxX5tGSW7UUJ6raHTYKS8KxmnGTdE3Ata2s3oCpq35iLroRENzV +1ugYIZZaLw9196aN0fAkFNn5cVUFv/hTJ4pdrydfERxXcxXHuMnwXW2m321Y48eu +XzWDa2RzuTsmNXN27RoDQBydR+jK4cx8rcLsHJaBiFj+WpX6wEJPhoiCXa4Unrlj +LNjbF13ojzec/cXkqVjVIrMwWF3QmcCSDfo1ELmMHD4CCiAqqPL1tHClJbKbrlix +ybs03xuSTfxF1ZqhjWoUvThPG5JOA+hXMB4Ne/pJu1SMB+aiyOFJXGCdeE3cmW1v +3cV5w8OgHhY/ual+8xWZwqUmYIWQB1GMAZP1p9E7XxixMbJI6/WQTBsdrceDTG2u +djk76En4YGHAVYobzFPXYLv2KheU+yanLkXZnoz7gFB4IvuVaxwHZSdgnGoSaIoz +FiCpNN8OtAFFdVI0O9RbzDqcnSktONqKnpeRWFCeEsyMZ6cuYoxbar2NjJ2IL+HN +BBS5nfbZ04Pyj78fpGvJVAcpF+MZ7T5jmwARAQABiQI8BBgBCAAmFiEELBbHZdvl +SgiBMPG8S5tfYAtV87QFAmMOFOMCGwwFCQPCZwAACgkQS5tfYAtV87TJ6RAAo0ms +AmFVeSSPzxCYecFw3peIu15CAna3VidsZZ3W+c1Wf01hZiphPOLxUVXNr1VzaBos +40xGJ0woIX3tC71tyzxinaUlYpZnE4h5otS0P+Qbm+NHqReDfcVnPoP89551hfH6 +epBUgmm00d5+FNbuTabMsIO3vBSk+Y+p7zbY9bkHFq5wB+JYz6vfxe/3frB1zvx6 +j0M6ehMrG1/YjA+z9L0+7etcUy/qvW1hSkdBtCbMEv9EGDzjhEjxP+wZSJ7kW2xh +bFUzbM2rFGodb9sn7z9sX2Gf+lVwuXynHXm56Rc0Zrq4e2MlN09UQkjZT1BT4bEc +K/oUZjqWcMgGMRoH8Zlw2v8qUMqTNBs07kC9+4ujSSz69TJM5R1Ryof7mucOeRzn +SSqk2bMRefe8kkLAKsKb9xYyV0ComRJZUmxLDy3EMlzqjlVg0IXTT1Q0z5VdP9dB +49oDQiz4DaAeqAz8PgttGz5b63JM231DUUxdrkuneb+jz7LCIeL6Kb95q+Uozij7 +nFajgP1ekqYyJ6WloxrPEGaW6syrXxGPcQwsDlDZ8c/uwTBtfRkLVuznVvjaVx8m +6rQwdwE4JJFpr0tHJ7us7MEcYp21/S/1MD+mvG8XwPn8seRnTEQrGND+YkKIGvEi +AooHYYZVpg1Aid5L6wwqjpnO1VYX95o4BIZ/9GyZAg0EXrb0LgEQAOX87ju0d9lq +npjc/B8j3/jB79MPAkuoE/yMzPcAfyzl7ytYcgjBclqjU1YWR3hWdJKI0Qx59+Ss +1anIJuOvTo0Saanj0YJSlDCFPUO5C7wuEqh4+EgacAiy23LUtunKVJ9MQ7t+TtKe +RijI84KK58RcM4ukHHwbCb9ww1mEUjTlcJBJ/n70iNoTGKGCZ18IpyFvK8atSf1j +t67k9hS2wS7VJNqw3Orm6xJDqGi3fMFtWg9ErxrtNkIMYmrO+ofRsilUcpUrEDyv +2Q/FNviOVE9BXzVVJ7zxOCwjMNJ4ao6Ezk0NOZU36qv0Bg8B3IWN6axWMwUQvfh0 +SAzZUGxfzuraG86Rj1z21PJwJxQATIRhERfm118EAVxwP/xz0Nwrr044Hx0Wi8mX +6qi0B5d1rf08VAUoJ/Bhr7Lfbpjbi0z4mvwZh+ydRrowDoff+g0IAamzRVmcFVFy +OdLM2iM9z10Ds6dPvi6QVvTMZfrE3l1MIpFb+YuOeU5AQFbl0so2HaWP1TMb/0pQ +jhXh9WwSOfwjG1QyEibs4CxSMbJ2TwPYLNo9QQZnBdPMPBUfa0Jkahw+NnztHjEN +sHbsr/ic1Zvi7HuaUTCKzm1oGeiIqIBXtH8WrQsQlAWiJdEvu2YkKAyjxUOD9reL +4a8NbGve1MeNC1T4onX5OqJ/dCsnnd19ABEBAAG0OEdhYnJpZWwgQ2FydXNvIChS +ZWxlYXNlIE1hbmFnZXIpIDxjYXJ1c29nYWJyaWVsQHBocC5uZXQ+iQJUBBMBCAA+ +FiEEv93ShkKCT4EY73eQm2elwSIpEY8FAl629C4CGwMFCQeEzgAFCwkIBwIGFQoJ +CAsCBBYCAwECHgECF4AACgkQm2elwSIpEY93YRAAorek8NdIxkegDBXSrVVR0wA3 +FsT7tMT25cVDHpV0NnGVoRYRQW65rjW7zPAKHe/oXk6MOuVbCg9Gr9znJa/KlQHs +i0Hsv+6+w6rLpXw8aQfikfFgLIVOELY6/MoVcao2vEXvQ0gDPo3JKVA+W7lMrY+s +LUyJcww9yI1181qBJRlAp5wwyKPiqNExHKlxRklMSR6vgJHocL7hSWcGPpSmKMqq +5oZkwB73mhEktXAI6yEuAeOKEx7XarBfWeN4BCo9BHgpnslR5pjgzWjKbHK5k+XB +S0ApKi4dDuzuDcodqhIhqUhrFj04LGznYfnLa7IVuupINVY+HX/OBd9+a7qEH+hF +7IOGFwfjv5xOCfbdzDzp3v4G6mluzTmDxByNta/T30hFtWmKsqY5FP7ip1eN6//D +vhZlQVcpbs8WEeivo8BRvbMBy6tW/hFMhWxEPrA+i9QqCRt0l5f29smtnJyCcZPi +3AvtZI8qK+fgFgEinbz+NnOXY62JLJl/+GucSoWnx9rgOJb2ZEDcTFuN8JCo4YxP +AvACSPib4CF03nnFhAuyP/qnPcDKwFGhLUT++3FIilEACZ/dSGEylGQqTSYDl/gy +xCpHslnZt6f2T8ZMd4fuqyrNvWT6sTARjwX3VCCwHNPnM7ik9DWsgZM3gIFrtBwk +fd9zeL2tgxgC25WWkJS5Ag0EXrb0LgEQAN1a0LLbJ+fKNIFqwxsjNM5X5YdyPQMk +kM0mMZzLgZMz3yCSUFw/ZbfD6ZqRfpxugek39M2l8BRA8eWo0TiFAq2HdD9yXBfq +iWc1DFL0ZkVgJtSM8czE4IX1EON7BRwin0BkOChn+PE0JWKdvrjyo6bZ995YFyNk +A3GlUxSyoAhaivPFfrSoKBUSXSiZBk9KzdrS5k76ZlhE73Vej1S5XCz+Ssqj6X68 +3iDqTWlkXaUJ8EAnwv+b81zPmnjfxnAWYxa/Hi+vGWxDgDhP4El+XJSLjcEB5JWt +0a1UkSKXigz7LkYib1s091mIkTPsNmtsh5c2opGMoWJdwbZvyqgM3VqrlCIkLdGi +Thqvhh85kKkvgg1Bicg0d00vmWlzJ4MFhkbt0pTLY7hp+e+PF3gWey9inmqbiz52 +Xag8PQav7opOi1fb95Wvi/BkMZ6v5nmjxzQEe+HaF4UjZG1fFwVp3Hss2V2DvT2Q +Azz/JV1Aj0aNFo37VAVebKqkdrxNCRQQg4p630kwEImRwJTYY8tVNUlVQPbdVwkY +JvdhXjsVXApPoxBhU20S5qevxMiI/2FhEHHgm5PmokSaXiDgII7Gm4sUgoAreslv +OmydpQeGKSOU5gZ1MQtvfBvdcQQfV1klnCTtYQMV/6lNUXEx9LlXzaQ3/Ah0LC0X +SV+8B9zz/A0FABEBAAGJAjwEGAEIACYWIQS/3dKGQoJPgRjvd5CbZ6XBIikRjwUC +Xrb0LgIbDAUJB4TOAAAKCRCbZ6XBIikRj1+vD/9KA9EvHdPNyDk8jU/dUvPYKqLc +QTKA0cBpDcv9+N0bfVFijBtw8Hpyg+23Q0XxJuwpgL7N72HLxCJzrpfIyucc5j99 ++Wrh1wrbqdynkKJ9hM24lMhj2ZHaP42oN6At4unLFGh80a+YkJFjTxh9jORvtjXp +Qjzq+j+8isQ5i71yT9WTzesJBhtrLMVQrgOND5E6AS/IuUEjOHt3INuG2HFJp0jR +tdlBT9ZLB+zoTJIIMARUqZGZTgF+rehVIsTXed7fdWidMK9GKN9SU+cBWZ3vcb37 +lDph8bCmRb/aGlby5hBUy6KwrSXF/V6VsyqWiccXzt99Dq0BfuSE+VCKYjHToyw4 +j9gnlrZdH2NMwyUgicKbc8GLbxGS6tzYrSy2MD+BILQD+cnpGgAyD2kbcEm6ghGW +LTTi11cotcr0uXCLiPZwWG28ychx9HxXvvNUNArvDSmP26uZqo/WZFYukaaFLltQ +ocI5PEAkx2K4N+xb0y5Ht/8M+XNO/t/pAR+yHWNUpZUgbZ0dujm5hPdVA9U51cyH +MCucOl0sN0+oO26re7e0ZTnImjF6HBzgN5LhDmccoT4rpOFJqrW77hOMhvIUkg5n +4Sd63wbB88BKsPXF6mRUEPcHuvwLr5jAE8QSW6sLhphAbh57GXdFtudEaKvQbGW9 +yalYwuj7Yip5XJGttg== +=jLhZ -----END PGP PUBLIC KEY BLOCK----- diff --git a/php.ini b/php.ini index d0ae9d12009bb1c0dc77ea237b1c55242ce8535d..3ff09971b4b69fc9d73b8672fe5988a87c871139 100644 --- a/php.ini +++ b/php.ini @@ -9,15 +9,15 @@ ; PHP attempts to find and load this configuration from a number of locations. ; The following is a summary of its search order: ; 1. SAPI module specific location. -; 2. The PHPRC environment variable. -; 3. A number of predefined registry keys on Windows +; 2. The PHPRC environment variable. (As of PHP 5.2.0) +; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) ; 4. Current working directory (except CLI) ; 5. The web server's directory (for SAPI modules), or directory of PHP ; (otherwise in Windows) ; 6. The directory from the --with-config-file-path compile time option, or the ; Windows directory (usually C:\windows) ; See the PHP docs for more specific information. -; https://php.net/configuration.file +; http://php.net/configuration.file ; The syntax of the file is extremely simple. Whitespace and lines ; beginning with a semicolon are silently ignored (as you probably guessed). @@ -31,7 +31,7 @@ ; special sections cannot be overridden by user-defined INI files or ; at runtime. Currently, [PATH=] and [HOST=] sections only work under ; CGI/FastCGI. -; https://php.net/ini.sections +; http://php.net/ini.sections ; Directives are specified using the following syntax: ; directive = value @@ -75,7 +75,7 @@ ; php.ini-production contains settings which hold security, performance and ; best practices at its core. But please be aware, these settings may break -; compatibility with older or less security-conscious applications. We +; compatibility with older or less security conscience applications. We ; recommending using the production ini in production and testing environments. ; php.ini-development is very similar to its production variant, except it is @@ -144,11 +144,6 @@ ; Development Value: 5 ; Production Value: 5 -; session.sid_length -; Default Value: 32 -; Development Value: 26 -; Production Value: 26 - ; short_open_tag ; Default Value: On ; Development Value: Off @@ -159,11 +154,6 @@ ; Development Value: "GPCS" ; Production Value: "GPCS" -; zend.assertions -; Default Value: 1 -; Development Value: 1 -; Production Value: -1 - ; zend.exception_ignore_args ; Default Value: Off ; Development Value: Off @@ -191,7 +181,7 @@ ;;;;;;;;;;;;;;;;;;;; ; Enable the PHP scripting language engine under Apache. -; https://php.net/engine +; http://php.net/engine engine = On ; This directive determines whether or not PHP will recognize code between @@ -204,11 +194,11 @@ engine = On ; Default Value: On ; Development Value: Off ; Production Value: Off -; https://php.net/short-open-tag +; http://php.net/short-open-tag short_open_tag = Off ; The number of significant digits displayed in floating point numbers. -; https://php.net/precision +; http://php.net/precision precision = 14 ; Output buffering is a mechanism for controlling how much output data @@ -232,7 +222,7 @@ precision = 14 ; Default Value: Off ; Development Value: 4096 ; Production Value: 4096 -; https://php.net/output-buffering +; http://php.net/output-buffering output_buffering = 4096 ; You can redirect all of the output of your scripts to a function. For @@ -247,7 +237,7 @@ output_buffering = 4096 ; and you cannot use both "ob_gzhandler" and "zlib.output_compression". ; Note: output_handler must be empty if this is set 'On' !!!! ; Instead you must use zlib.output_handler. -; https://php.net/output-handler +; http://php.net/output-handler ;output_handler = ; URL rewriter function rewrites URL on the fly by using @@ -276,16 +266,16 @@ output_buffering = 4096 ; performance, enable output_buffering in addition. ; Note: You need to use zlib.output_handler instead of the standard ; output_handler, or otherwise the output will be corrupted. -; https://php.net/zlib.output-compression +; http://php.net/zlib.output-compression zlib.output_compression = Off -; https://php.net/zlib.output-compression-level +; http://php.net/zlib.output-compression-level ;zlib.output_compression_level = -1 ; You cannot specify additional output handlers if zlib.output_compression ; is activated here. This setting does the same as output_handler but in ; a different order. -; https://php.net/zlib.output-handler +; http://php.net/zlib.output-handler ;zlib.output_handler = ; Implicit flush tells PHP to tell the output layer to flush itself @@ -293,7 +283,7 @@ zlib.output_compression = Off ; PHP function flush() after each and every call to print() or echo() and each ; and every HTML block. Turning this option on has serious performance ; implications and is generally recommended for debugging purposes only. -; https://php.net/implicit-flush +; http://php.net/implicit-flush ; Note: This directive is hardcoded to On for the CLI SAPI implicit_flush = Off @@ -324,22 +314,22 @@ serialize_precision = -1 ; and below. This directive makes most sense if used in a per-directory ; or per-virtualhost web server configuration file. ; Note: disables the realpath cache -; https://php.net/open-basedir +; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions. ; It receives a comma-delimited list of function names. -; https://php.net/disable-functions +; http://php.net/disable-functions disable_functions = ; This directive allows you to disable certain classes. ; It receives a comma-delimited list of class names. -; https://php.net/disable-classes +; http://php.net/disable-classes disable_classes = ; Colors for Syntax Highlighting mode. Anything that's acceptable in ; would work. -; https://php.net/syntax-highlighting +; http://php.net/syntax-highlighting ;highlight.string = #DD0000 ;highlight.comment = #FF9900 ;highlight.keyword = #007700 @@ -350,24 +340,24 @@ disable_classes = ; the request. Consider enabling it if executing long requests, which may end up ; being interrupted by the user or a browser timing out. PHP's default behavior ; is to disable this feature. -; https://php.net/ignore-user-abort +; http://php.net/ignore-user-abort ;ignore_user_abort = On ; Determines the size of the realpath cache to be used by PHP. This value should ; be increased on systems where PHP opens many files to reflect the quantity of ; the file operations performed. ; Note: if open_basedir is set, the cache is disabled -; https://php.net/realpath-cache-size +; http://php.net/realpath-cache-size ;realpath_cache_size = 4096k ; Duration of time, in seconds for which to cache realpath information for a given ; file or directory. For systems with rarely changing files, consider increasing this ; value. -; https://php.net/realpath-cache-ttl +; http://php.net/realpath-cache-ttl ;realpath_cache_ttl = 120 ; Enables or disables the circular reference collector. -; https://php.net/zend.enable-gc +; http://php.net/zend.enable-gc zend.enable_gc = On ; If enabled, scripts may be written in encodings that are incompatible with @@ -406,7 +396,7 @@ zend.exception_string_param_max_len = 0 ; (e.g. by adding its signature to the Web server header). It is no security ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not. -; https://php.net/expose-php +; http://php.net/expose-php expose_php = On ;;;;;;;;;;;;;;;;;;; @@ -414,7 +404,7 @@ expose_php = On ;;;;;;;;;;;;;;;;;;; ; Maximum execution time of each script, in seconds -; https://php.net/max-execution-time +; http://php.net/max-execution-time ; Note: This directive is hardcoded to 0 for the CLI SAPI max_execution_time = 30 @@ -425,23 +415,18 @@ max_execution_time = 30 ; Default Value: -1 (Unlimited) ; Development Value: 60 (60 seconds) ; Production Value: 60 (60 seconds) -; https://php.net/max-input-time +; http://php.net/max-input-time max_input_time = 60 ; Maximum input variable nesting level -; https://php.net/max-input-nesting-level +; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 ; How many GET/POST/COOKIE input variables may be accepted ;max_input_vars = 1000 -; How many multipart body parts (combined input variable and file uploads) may -; be accepted. -; Default Value: -1 (Sum of max_input_vars and max_file_uploads) -;max_multipart_body_parts = 1500 - ; Maximum amount of memory a script may consume -; https://php.net/memory-limit +; http://php.net/memory-limit memory_limit = 128M ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; @@ -464,7 +449,7 @@ memory_limit = 128M ; development and early testing. ; ; Error Level Constants: -; E_ALL - All errors and warnings +; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0) ; E_ERROR - fatal run-time errors ; E_RECOVERABLE_ERROR - almost fatal run-time errors ; E_WARNING - run-time warnings (non-fatal errors) @@ -497,7 +482,7 @@ memory_limit = 128M ; Default Value: E_ALL ; Development Value: E_ALL ; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT -; https://php.net/error-reporting +; http://php.net/error-reporting error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT ; This directive controls whether or not and where PHP will output errors, @@ -514,7 +499,7 @@ error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT ; Default Value: On ; Development Value: On ; Production Value: Off -; https://php.net/display-errors +; http://php.net/display-errors display_errors = Off ; The display of errors which occur during PHP's startup sequence are handled @@ -523,7 +508,7 @@ display_errors = Off ; Default Value: On ; Development Value: On ; Production Value: Off -; https://php.net/display-startup-errors +; http://php.net/display-startup-errors display_startup_errors = Off ; Besides displaying errors, PHP can also log errors to locations such as a @@ -533,31 +518,36 @@ display_startup_errors = Off ; Default Value: Off ; Development Value: On ; Production Value: On -; https://php.net/log-errors +; http://php.net/log-errors log_errors = On +; Set maximum length of log_errors. In error_log information about the source is +; added. The default is 1024 and 0 allows to not apply any maximum length at all. +; http://php.net/log-errors-max-len +log_errors_max_len = 1024 + ; Do not log repeated messages. Repeated errors must occur in same file on same ; line unless ignore_repeated_source is set true. -; https://php.net/ignore-repeated-errors +; http://php.net/ignore-repeated-errors ignore_repeated_errors = Off ; Ignore source of message when ignoring repeated messages. When this setting ; is On you will not log errors with repeated messages from different files or ; source lines. -; https://php.net/ignore-repeated-source +; http://php.net/ignore-repeated-source ignore_repeated_source = Off ; If this parameter is set to Off, then memory leaks will not be shown (on ; stdout or in the log). This is only effective in a debug compile, and if ; error reporting includes E_WARNING in the allowed list -; https://php.net/report-memleaks +; http://php.net/report-memleaks report_memleaks = On ; This setting is off by default. ;report_zend_debug = 0 ; Turn off normal error reporting and emit XML-RPC error XML -; https://php.net/xmlrpc-errors +; http://php.net/xmlrpc-errors ;xmlrpc_errors = 0 ; An XML-RPC faultCode @@ -567,40 +557,40 @@ report_memleaks = On ; error message as HTML for easier reading. This directive controls whether ; the error message is formatted as HTML or not. ; Note: This directive is hardcoded to Off for the CLI SAPI -; https://php.net/html-errors +; http://php.net/html-errors ;html_errors = On ; If html_errors is set to On *and* docref_root is not empty, then PHP ; produces clickable error messages that direct to a page describing the error ; or function causing the error in detail. -; You can download a copy of the PHP manual from https://php.net/docs +; You can download a copy of the PHP manual from http://php.net/docs ; and change docref_root to the base URL of your local copy including the ; leading '/'. You must also specify the file extension being used including ; the dot. PHP's default behavior is to leave these settings empty, in which ; case no links to documentation are generated. ; Note: Never use this feature for production boxes. -; https://php.net/docref-root +; http://php.net/docref-root ; Examples ;docref_root = "/phpmanual/" -; https://php.net/docref-ext +; http://php.net/docref-ext ;docref_ext = .html ; String to output before an error message. PHP's default behavior is to leave ; this setting blank. -; https://php.net/error-prepend-string +; http://php.net/error-prepend-string ; Example: ;error_prepend_string = "" ; String to output after an error message. PHP's default behavior is to leave ; this setting blank. -; https://php.net/error-append-string +; http://php.net/error-append-string ; Example: ;error_append_string = "" ; Log errors to specified file. PHP's default behavior is to leave this value ; empty. -; https://php.net/error-log +; http://php.net/error-log ; Example: ;error_log = php_errors.log ; Log errors to syslog (Event Log on Windows). @@ -623,7 +613,7 @@ report_memleaks = On ; no-ctrl (all characters except control characters) ; all (all characters) ; raw (like "all", but messages are not split at newlines) -; https://php.net/syslog.filter +; http://php.net/syslog.filter ;syslog.filter = ascii ;windows.show_crt_warning @@ -637,14 +627,14 @@ report_memleaks = On ; The separator used in PHP generated URLs to separate arguments. ; PHP's default setting is "&". -; https://php.net/arg-separator.output +; http://php.net/arg-separator.output ; Example: ;arg_separator.output = "&" ; List of separator(s) used by PHP to parse input URLs into variables. ; PHP's default setting is "&". ; NOTE: Every character in this directive is considered as separator! -; https://php.net/arg-separator.input +; http://php.net/arg-separator.input ; Example: ;arg_separator.input = ";&" @@ -658,7 +648,7 @@ report_memleaks = On ; Default Value: "EGPCS" ; Development Value: "GPCS" ; Production Value: "GPCS"; -; https://php.net/variables-order +; http://php.net/variables-order variables_order = "GPCS" ; This directive determines which super global data (G,P & C) should be @@ -671,7 +661,7 @@ variables_order = "GPCS" ; Default Value: None ; Development Value: "GP" ; Production Value: "GP" -; https://php.net/request-order +; http://php.net/request-order request_order = "GP" ; This directive determines whether PHP registers $argv & $argc each time it @@ -686,7 +676,7 @@ request_order = "GP" ; Default Value: On ; Development Value: Off ; Production Value: Off -; https://php.net/register-argc-argv +; http://php.net/register-argc-argv register_argc_argv = Off ; When enabled, the ENV, REQUEST and SERVER variables are created when they're @@ -694,7 +684,7 @@ register_argc_argv = Off ; variables are not used within a script, having this directive on will result ; in a performance gain. The PHP directive register_argc_argv must be disabled ; for this directive to have any effect. -; https://php.net/auto-globals-jit +; http://php.net/auto-globals-jit auto_globals_jit = On ; Whether PHP will read the POST data. @@ -703,48 +693,48 @@ auto_globals_jit = On ; and $_FILES to always be empty; the only way you will be able to read the ; POST data will be through the php://input stream wrapper. This can be useful ; to proxy requests or to process the POST data in a memory efficient fashion. -; https://php.net/enable-post-data-reading +; http://php.net/enable-post-data-reading ;enable_post_data_reading = Off ; Maximum size of POST data that PHP will accept. ; Its value may be 0 to disable the limit. It is ignored if POST data reading ; is disabled through enable_post_data_reading. -; https://php.net/post-max-size +; http://php.net/post-max-size post_max_size = 8M ; Automatically add files before PHP document. -; https://php.net/auto-prepend-file +; http://php.net/auto-prepend-file auto_prepend_file = ; Automatically add files after PHP document. -; https://php.net/auto-append-file +; http://php.net/auto-append-file auto_append_file = ; By default, PHP will output a media type using the Content-Type header. To ; disable this, simply set it to be empty. ; ; PHP's built-in default media type is set to text/html. -; https://php.net/default-mimetype +; http://php.net/default-mimetype default_mimetype = "text/html" ; PHP's default character set is set to UTF-8. -; https://php.net/default-charset +; http://php.net/default-charset default_charset = "UTF-8" ; PHP internal character encoding is set to empty. ; If empty, default_charset is used. -; https://php.net/internal-encoding +; http://php.net/internal-encoding ;internal_encoding = ; PHP input character encoding is set to empty. ; If empty, default_charset is used. -; https://php.net/input-encoding +; http://php.net/input-encoding ;input_encoding = ; PHP output character encoding is set to empty. ; If empty, default_charset is used. ; See also output_buffer. -; https://php.net/output-encoding +; http://php.net/output-encoding ;output_encoding = ;;;;;;;;;;;;;;;;;;;;;;;;; @@ -758,23 +748,23 @@ default_charset = "UTF-8" ;include_path = ".;c:\php\includes" ; ; PHP's default setting for include_path is ".;/path/to/php/pear" -; https://php.net/include-path +; http://php.net/include-path ; The root of the PHP pages, used only if nonempty. ; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root ; if you are running php as a CGI under any web server (other than IIS) ; see documentation for security issues. The alternate is to use the ; cgi.force_redirect configuration below -; https://php.net/doc-root +; http://php.net/doc-root doc_root = ; The directory under which PHP opens the script using /~username used only ; if nonempty. -; https://php.net/user-dir +; http://php.net/user-dir user_dir = ; Directory in which the loadable extensions (modules) reside. -; https://php.net/extension-dir +; http://php.net/extension-dir ;extension_dir = "./" ; On windows: ;extension_dir = "ext" @@ -786,14 +776,14 @@ user_dir = ; Whether or not to enable the dl() function. The dl() function does NOT work ; properly in multithreaded servers, such as IIS or Zeus, and is automatically ; disabled on them. -; https://php.net/enable-dl +; http://php.net/enable-dl enable_dl = Off ; cgi.force_redirect is necessary to provide security running PHP as a CGI under ; most web servers. Left undefined, PHP turns this on by default. You can ; turn it off here AT YOUR OWN RISK ; **You CAN safely turn this off for IIS, in fact, you MUST.** -; https://php.net/cgi.force-redirect +; http://php.net/cgi.force-redirect ;cgi.force_redirect = 1 ; if cgi.nph is enabled it will force cgi to always sent Status: 200 with @@ -804,7 +794,7 @@ enable_dl = Off ; (iPlanet) web servers, you MAY need to set an environment variable name that PHP ; will look for to know it is OK to continue execution. Setting this variable MAY ; cause security issues, KNOW WHAT YOU ARE DOING FIRST. -; https://php.net/cgi.redirect-status-env +; http://php.net/cgi.redirect-status-env ;cgi.redirect_status_env = ; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's @@ -813,7 +803,7 @@ enable_dl = Off ; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting ; of zero causes PHP to behave as before. Default is 1. You should fix your scripts ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. -; https://php.net/cgi.fix-pathinfo +; http://php.net/cgi.fix-pathinfo ;cgi.fix_pathinfo=1 ; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside @@ -825,7 +815,7 @@ enable_dl = Off ; security context that the request runs under. mod_fastcgi under Apache ; does not currently support this feature (03/17/2002) ; Set to 1 if running under IIS. Default is zero. -; https://php.net/fastcgi.impersonate +; http://php.net/fastcgi.impersonate ;fastcgi.impersonate = 1 ; Disable logging through FastCGI connection. PHP's default behavior is to enable @@ -837,14 +827,14 @@ enable_dl = Off ; is supported by Apache. When this option is set to 1, PHP will send ; RFC2616 compliant header. ; Default is zero. -; https://php.net/cgi.rfc2616-headers +; http://php.net/cgi.rfc2616-headers ;cgi.rfc2616_headers = 0 ; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #! ; (shebang) at the top of the running script. This line might be needed if the ; script support running both as stand-alone script and via PHP CGI<. PHP in CGI ; mode skips this line and ignores its content if this directive is turned on. -; https://php.net/cgi.check-shebang-line +; http://php.net/cgi.check-shebang-line ;cgi.check_shebang_line=1 ;;;;;;;;;;;;;;;; @@ -852,16 +842,16 @@ enable_dl = Off ;;;;;;;;;;;;;;;; ; Whether to allow HTTP file uploads. -; https://php.net/file-uploads +; http://php.net/file-uploads file_uploads = On ; Temporary directory for HTTP uploaded files (will use system default if not ; specified). -; https://php.net/upload-tmp-dir +; http://php.net/upload-tmp-dir ;upload_tmp_dir = ; Maximum allowed size for uploaded files. -; https://php.net/upload-max-filesize +; http://php.net/upload-max-filesize upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request @@ -872,24 +862,24 @@ max_file_uploads = 20 ;;;;;;;;;;;;;;;;;; ; Whether to allow the treatment of URLs (like http:// or ftp://) as files. -; https://php.net/allow-url-fopen +; http://php.net/allow-url-fopen allow_url_fopen = On -; Whether to allow include/require to open URLs (like https:// or ftp://) as files. -; https://php.net/allow-url-include +; Whether to allow include/require to open URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-include allow_url_include = Off ; Define the anonymous ftp password (your email address). PHP's default setting ; for this is empty. -; https://php.net/from +; http://php.net/from ;from="john@doe.com" ; Define the User-Agent string. PHP's default setting for this is empty. -; https://php.net/user-agent +; http://php.net/user-agent ;user_agent="PHP" ; Default timeout for socket based streams (seconds) -; https://php.net/default-socket-timeout +; http://php.net/default-socket-timeout default_socket_timeout = 60 ; If your scripts have to deal with files from Macintosh systems, @@ -897,7 +887,7 @@ default_socket_timeout = 60 ; unix or win32 systems, setting this flag will cause PHP to ; automatically detect the EOL character in those files so that ; fgets() and file() will work regardless of the source of the file. -; https://php.net/auto-detect-line-endings +; http://php.net/auto-detect-line-endings ;auto_detect_line_endings = Off ;;;;;;;;;;;;;;;;;;;;;; @@ -938,26 +928,26 @@ cli_server.color = On [Date] ; Defines the default timezone used by the date functions -; https://php.net/date.timezone +; http://php.net/date.timezone ;date.timezone = -; https://php.net/date.default-latitude +; http://php.net/date.default-latitude ;date.default_latitude = 31.7667 -; https://php.net/date.default-longitude +; http://php.net/date.default-longitude ;date.default_longitude = 35.2333 -; https://php.net/date.sunrise-zenith +; http://php.net/date.sunrise-zenith ;date.sunrise_zenith = 90.833333 -; https://php.net/date.sunset-zenith +; http://php.net/date.sunset-zenith ;date.sunset_zenith = 90.833333 [filter] -; https://php.net/filter.default +; http://php.net/filter.default ;filter.default = unsafe_raw -; https://php.net/filter.default-flags +; http://php.net/filter.default-flags ;filter.default_flags = [iconv] @@ -995,7 +985,7 @@ cli_server.color = On [sqlite3] ; Directory pointing to SQLite3 extensions -; https://php.net/sqlite3.extension-dir +; http://php.net/sqlite3.extension-dir ;sqlite3.extension_dir = ; SQLite defensive mode flag (only available from SQLite 3.26+) @@ -1009,14 +999,14 @@ cli_server.color = On [Pcre] ; PCRE library backtracking limit. -; https://php.net/pcre.backtrack-limit +; http://php.net/pcre.backtrack-limit ;pcre.backtrack_limit=100000 ; PCRE library recursion limit. ; Please note that if you set this value to a high number you may consume all ; the available process stack and eventually crash PHP (due to reaching the ; stack size limit imposed by the Operating System). -; https://php.net/pcre.recursion-limit +; http://php.net/pcre.recursion-limit ;pcre.recursion_limit=100000 ; Enables or disables JIT compilation of patterns. This requires the PCRE @@ -1025,7 +1015,7 @@ pcre.jit=0 [Pdo] ; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" -; https://php.net/pdo-odbc.connection-pooling +; http://php.net/pdo-odbc.connection-pooling ;pdo_odbc.connection_pooling=strict [Pdo_mysql] @@ -1034,17 +1024,17 @@ pcre.jit=0 pdo_mysql.default_socket= [Phar] -; https://php.net/phar.readonly +; http://php.net/phar.readonly ;phar.readonly = On -; https://php.net/phar.require-hash +; http://php.net/phar.require-hash ;phar.require_hash = On ;phar.cache_list = [mail function] ; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). -; https://php.net/sendmail-path +; http://php.net/sendmail-path sendmail_path = /usr/sbin/sendmail -t -i ; Force the addition of the specified parameters to be passed as extra parameters @@ -1055,10 +1045,6 @@ sendmail_path = /usr/sbin/sendmail -t -i ; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename mail.add_x_header = Off -; Use mixed LF and CRLF line separators to keep compatibility with some -; RFC 2822 non conformant MTA. -mail.mixed_lf_and_crlf = Off - ; The path to a log file that will log all mail() calls. Log entries include ; the full path of the script, line number, To address and headers. ;mail.log = @@ -1066,13 +1052,13 @@ mail.mixed_lf_and_crlf = Off ;mail.log = syslog [ODBC] -; https://php.net/odbc.default-db +; http://php.net/odbc.default-db ;odbc.default_db = Not yet implemented -; https://php.net/odbc.default-user +; http://php.net/odbc.default-user ;odbc.default_user = Not yet implemented -; https://php.net/odbc.default-pw +; http://php.net/odbc.default-pw ;odbc.default_pw = Not yet implemented ; Controls the ODBC cursor model. @@ -1080,72 +1066,68 @@ mail.mixed_lf_and_crlf = Off ;odbc.default_cursortype ; Allow or prevent persistent links. -; https://php.net/odbc.allow-persistent +; http://php.net/odbc.allow-persistent odbc.allow_persistent = On ; Check that a connection is still valid before reuse. -; https://php.net/odbc.check-persistent +; http://php.net/odbc.check-persistent odbc.check_persistent = On ; Maximum number of persistent links. -1 means no limit. -; https://php.net/odbc.max-persistent +; http://php.net/odbc.max-persistent odbc.max_persistent = -1 ; Maximum number of links (persistent + non-persistent). -1 means no limit. -; https://php.net/odbc.max-links +; http://php.net/odbc.max-links odbc.max_links = -1 ; Handling of LONG fields. Returns number of bytes to variables. 0 means ; passthru. -; https://php.net/odbc.defaultlrl +; http://php.net/odbc.defaultlrl odbc.defaultlrl = 4096 ; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. ; See the documentation on odbc_binmode and odbc_longreadlen for an explanation ; of odbc.defaultlrl and odbc.defaultbinmode -; https://php.net/odbc.defaultbinmode +; http://php.net/odbc.defaultbinmode odbc.defaultbinmode = 1 [MySQLi] ; Maximum number of persistent links. -1 means no limit. -; https://php.net/mysqli.max-persistent +; http://php.net/mysqli.max-persistent mysqli.max_persistent = -1 ; Allow accessing, from PHP's perspective, local files with LOAD DATA statements -; https://php.net/mysqli.allow_local_infile +; http://php.net/mysqli.allow_local_infile ;mysqli.allow_local_infile = On -; It allows the user to specify a folder where files that can be sent via LOAD DATA -; LOCAL can exist. It is ignored if mysqli.allow_local_infile is enabled. -;mysqli.local_infile_directory = - ; Allow or prevent persistent links. -; https://php.net/mysqli.allow-persistent +; http://php.net/mysqli.allow-persistent mysqli.allow_persistent = On ; Maximum number of links. -1 means no limit. -; https://php.net/mysqli.max-links +; http://php.net/mysqli.max-links mysqli.max_links = -1 ; Default port number for mysqli_connect(). If unset, mysqli_connect() will use ; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the ; compile-time value defined MYSQL_PORT (in that order). Win32 will only look ; at MYSQL_PORT. -; https://php.net/mysqli.default-port +; http://php.net/mysqli.default-port mysqli.default_port = 3306 ; Default socket name for local MySQL connects. If empty, uses the built-in ; MySQL defaults. -; https://php.net/mysqli.default-socket +; http://php.net/mysqli.default-socket mysqli.default_socket = ; Default host for mysqli_connect() (doesn't apply in safe mode). -; https://php.net/mysqli.default-host +; http://php.net/mysqli.default-host mysqli.default_host = ; Default user for mysqli_connect() (doesn't apply in safe mode). -; https://php.net/mysqli.default-user +; http://php.net/mysqli.default-user mysqli.default_user = ; Default password for mysqli_connect() (doesn't apply in safe mode). @@ -1153,13 +1135,11 @@ mysqli.default_user = ; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw") ; and reveal this password! And of course, any users with read access to this ; file will be able to reveal the password as well. -; https://php.net/mysqli.default-pw +; http://php.net/mysqli.default-pw mysqli.default_pw = -; If this option is enabled, closing a persistent connection will rollback -; any pending transactions of this connection, before it is put back -; into the persistent connection pool. -;mysqli.rollback_on_cached_plink = Off +; Allow or prevent reconnect +mysqli.reconnect = Off [mysqlnd] ; Enable / Disable collection of general statistics by mysqlnd which can be @@ -1172,7 +1152,7 @@ mysqlnd.collect_memory_statistics = Off ; Records communication from all extensions using mysqlnd to the specified log ; file. -; https://php.net/mysqlnd.debug +; http://php.net/mysqlnd.debug ;mysqlnd.debug = ; Defines which queries will be logged. @@ -1197,44 +1177,44 @@ mysqlnd.collect_memory_statistics = Off [PostgreSQL] ; Allow or prevent persistent links. -; https://php.net/pgsql.allow-persistent +; http://php.net/pgsql.allow-persistent pgsql.allow_persistent = On ; Detect broken persistent links always with pg_pconnect(). ; Auto reset feature requires a little overheads. -; https://php.net/pgsql.auto-reset-persistent +; http://php.net/pgsql.auto-reset-persistent pgsql.auto_reset_persistent = Off ; Maximum number of persistent links. -1 means no limit. -; https://php.net/pgsql.max-persistent +; http://php.net/pgsql.max-persistent pgsql.max_persistent = -1 ; Maximum number of links (persistent+non persistent). -1 means no limit. -; https://php.net/pgsql.max-links +; http://php.net/pgsql.max-links pgsql.max_links = -1 ; Ignore PostgreSQL backends Notice message or not. ; Notice message logging require a little overheads. -; https://php.net/pgsql.ignore-notice +; http://php.net/pgsql.ignore-notice pgsql.ignore_notice = 0 ; Log PostgreSQL backends Notice message or not. ; Unless pgsql.ignore_notice=0, module cannot log notice message. -; https://php.net/pgsql.log-notice +; http://php.net/pgsql.log-notice pgsql.log_notice = 0 [bcmath] ; Number of decimal digits for all bcmath functions. -; https://php.net/bcmath.scale +; http://php.net/bcmath.scale bcmath.scale = 0 [browscap] -; https://php.net/browscap +; http://php.net/browscap ;browscap = extra/browscap.ini [Session] ; Handler used to store/retrieve data. -; https://php.net/session.save-handler +; http://php.net/session.save-handler session.save_handler = files ; Argument passed to save_handler. In the case of files, this is the path @@ -1263,7 +1243,7 @@ session.save_handler = files ; ; where MODE is the octal representation of the mode. Note that this ; does not overwrite the process's umask. -; https://php.net/session.save-path +; http://php.net/session.save-path ; RPM note : session directory must be owned by process owner ; for mod_php, see /etc/httpd/conf.d/php.conf @@ -1280,42 +1260,42 @@ session.save_handler = files session.use_strict_mode = 0 ; Whether to use cookies. -; https://php.net/session.use-cookies +; http://php.net/session.use-cookies session.use_cookies = 1 -; https://php.net/session.cookie-secure +; http://php.net/session.cookie-secure ;session.cookie_secure = ; This option forces PHP to fetch and use a cookie for storing and maintaining ; the session id. We encourage this operation as it's very helpful in combating ; session hijacking when not specifying and managing your own session id. It is ; not the be-all and end-all of session hijacking defense, but it's a good start. -; https://php.net/session.use-only-cookies +; http://php.net/session.use-only-cookies session.use_only_cookies = 1 ; Name of the session (used as cookie name). -; https://php.net/session.name +; http://php.net/session.name session.name = PHPSESSID ; Initialize session on request startup. -; https://php.net/session.auto-start +; http://php.net/session.auto-start session.auto_start = 0 ; Lifetime in seconds of cookie or, if 0, until browser is restarted. -; https://php.net/session.cookie-lifetime +; http://php.net/session.cookie-lifetime session.cookie_lifetime = 0 ; The path for which the cookie is valid. -; https://php.net/session.cookie-path +; http://php.net/session.cookie-path session.cookie_path = / ; The domain for which the cookie is valid. -; https://php.net/session.cookie-domain +; http://php.net/session.cookie-domain session.cookie_domain = ; Whether or not to add the httpOnly flag to the cookie, which makes it ; inaccessible to browser scripting languages such as JavaScript. -; https://php.net/session.cookie-httponly +; http://php.net/session.cookie-httponly session.cookie_httponly = ; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF) @@ -1325,7 +1305,7 @@ session.cookie_httponly = session.cookie_samesite = ; Handler used to serialize data. php is the standard serializer of PHP. -; https://php.net/session.serialize-handler +; http://php.net/session.serialize-handler session.serialize_handler = php ; Defines the probability that the 'garbage collection' process is started on every @@ -1334,7 +1314,7 @@ session.serialize_handler = php ; Default Value: 1 ; Development Value: 1 ; Production Value: 1 -; https://php.net/session.gc-probability +; http://php.net/session.gc-probability session.gc_probability = 1 ; Defines the probability that the 'garbage collection' process is started on every @@ -1344,12 +1324,12 @@ session.gc_probability = 1 ; Default Value: 100 ; Development Value: 1000 ; Production Value: 1000 -; https://php.net/session.gc-divisor +; http://php.net/session.gc-divisor session.gc_divisor = 1000 ; After this number of seconds, stored data will be seen as 'garbage' and ; cleaned up by the garbage collection process. -; https://php.net/session.gc-maxlifetime +; http://php.net/session.gc-maxlifetime session.gc_maxlifetime = 1440 ; NOTE: If you are using the subdirectory option for storing session files @@ -1363,16 +1343,16 @@ session.gc_maxlifetime = 1440 ; Check HTTP Referer to invalidate externally stored URLs containing ids. ; HTTP_REFERER has to contain this substring for the session to be ; considered as valid. -; https://php.net/session.referer-check +; http://php.net/session.referer-check session.referer_check = ; Set to {nocache,private,public,} to determine HTTP caching aspects ; or leave this empty to avoid sending anti-caching headers. -; https://php.net/session.cache-limiter +; http://php.net/session.cache-limiter session.cache_limiter = nocache ; Document expires after n minutes. -; https://php.net/session.cache-expire +; http://php.net/session.cache-expire session.cache_expire = 180 ; trans sid support is disabled by default. @@ -1384,13 +1364,13 @@ session.cache_expire = 180 ; in publicly accessible computer. ; - User may access your site with the same session ID ; always using URL stored in browser's history or bookmarks. -; https://php.net/session.use-trans-sid +; http://php.net/session.use-trans-sid session.use_trans_sid = 0 ; Set session ID character length. This value could be between 22 to 256. ; Shorter length than default is supported only for compatibility reason. ; Users should use 32 or more chars. -; https://php.net/session.sid-length +; http://php.net/session.sid-length ; Default Value: 32 ; Development Value: 26 ; Production Value: 26 @@ -1405,7 +1385,7 @@ session.sid_length = 26 ; Default Value: "a=href,area=href,frame=src,form=" ; Development Value: "a=href,area=href,frame=src,form=" ; Production Value: "a=href,area=href,frame=src,form=" -; https://php.net/url-rewriter.tags +; http://php.net/url-rewriter.tags session.trans_sid_tags = "a=href,area=href,frame=src,form=" ; URL rewriter does not rewrite absolute URLs by default. @@ -1430,14 +1410,14 @@ session.trans_sid_tags = "a=href,area=href,frame=src,form=" ; Default Value: 4 ; Development Value: 5 ; Production Value: 5 -; https://php.net/session.hash-bits-per-character +; http://php.net/session.hash-bits-per-character session.sid_bits_per_character = 5 ; Enable upload progress tracking in $_SESSION ; Default Value: On ; Development Value: On ; Production Value: On -; https://php.net/session.upload-progress.enabled +; http://php.net/session.upload-progress.enabled ;session.upload_progress.enabled = On ; Cleanup the progress information as soon as all POST data has been read @@ -1445,14 +1425,14 @@ session.sid_bits_per_character = 5 ; Default Value: On ; Development Value: On ; Production Value: On -; https://php.net/session.upload-progress.cleanup +; http://php.net/session.upload-progress.cleanup ;session.upload_progress.cleanup = On ; A prefix used for the upload progress key in $_SESSION ; Default Value: "upload_progress_" ; Development Value: "upload_progress_" ; Production Value: "upload_progress_" -; https://php.net/session.upload-progress.prefix +; http://php.net/session.upload-progress.prefix ;session.upload_progress.prefix = "upload_progress_" ; The index name (concatenated with the prefix) in $_SESSION @@ -1460,7 +1440,7 @@ session.sid_bits_per_character = 5 ; Default Value: "PHP_SESSION_UPLOAD_PROGRESS" ; Development Value: "PHP_SESSION_UPLOAD_PROGRESS" ; Production Value: "PHP_SESSION_UPLOAD_PROGRESS" -; https://php.net/session.upload-progress.name +; http://php.net/session.upload-progress.name ;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" ; How frequently the upload progress should be updated. @@ -1468,18 +1448,18 @@ session.sid_bits_per_character = 5 ; Default Value: "1%" ; Development Value: "1%" ; Production Value: "1%" -; https://php.net/session.upload-progress.freq +; http://php.net/session.upload-progress.freq ;session.upload_progress.freq = "1%" ; The minimum delay between updates, in seconds ; Default Value: 1 ; Development Value: 1 ; Production Value: 1 -; https://php.net/session.upload-progress.min-freq +; http://php.net/session.upload-progress.min-freq ;session.upload_progress.min_freq = "1" ; Only write session data when session data is changed. Enabled by default. -; https://php.net/session.lazy-write +; http://php.net/session.lazy-write ;session.lazy_write = On [Assertion] @@ -1487,18 +1467,37 @@ session.sid_bits_per_character = 5 ; -1: Do not compile at all ; 0: Jump over assertion at run-time ; 1: Execute assertions -; Changing from or to a negative value is only possible in php.ini! -; (For turning assertions on and off at run-time, toggle zend.assertions between the values 1 and 0) +; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1) ; Default Value: 1 ; Development Value: 1 ; Production Value: -1 -; https://php.net/zend.assertions +; http://php.net/zend.assertions zend.assertions = -1 +; Assert(expr); active by default. +; http://php.net/assert.active +;assert.active = On + +; Throw an AssertionError on failed assertions +; http://php.net/assert.exception +;assert.exception = On + +; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active) +; http://php.net/assert.warning +;assert.warning = On + +; Don't bail out by default. +; http://php.net/assert.bail +;assert.bail = Off + +; User-function to be called if an assertion fails. +; http://php.net/assert.callback +;assert.callback = 0 + [mbstring] ; language for internal character representation. ; This affects mb_send_mail() and mbstring.detect_order. -; https://php.net/mbstring.language +; http://php.net/mbstring.language ;mbstring.language = Japanese ; Use of this INI entry is deprecated, use global internal_encoding instead. @@ -1513,7 +1512,7 @@ zend.assertions = -1 ; mbstring.encoding_translation = On is needed to use this setting. ; If empty, default_charset or input_encoding or mbstring.input is used. ; The precedence is: default_charset < input_encoding < mbstring.http_input -; https://php.net/mbstring.http-input +; http://php.net/mbstring.http-input ;mbstring.http_input = ; Use of this INI entry is deprecated, use global output_encoding instead. @@ -1523,7 +1522,7 @@ zend.assertions = -1 ; The precedence is: default_charset < output_encoding < mbstring.http_output ; To use an output encoding conversion, mbstring's output handler must be set ; otherwise output encoding conversion cannot be performed. -; https://php.net/mbstring.http-output +; http://php.net/mbstring.http-output ;mbstring.http_output = ; enable automatic encoding translation according to @@ -1531,17 +1530,17 @@ zend.assertions = -1 ; converted to internal encoding by setting this to On. ; Note: Do _not_ use automatic encoding translation for ; portable libs/applications. -; https://php.net/mbstring.encoding-translation +; http://php.net/mbstring.encoding-translation ;mbstring.encoding_translation = Off ; automatic encoding detection order. ; "auto" detect order is changed according to mbstring.language -; https://php.net/mbstring.detect-order +; http://php.net/mbstring.detect-order ;mbstring.detect_order = auto ; substitute_character used when character cannot be converted ; one from another -; https://php.net/mbstring.substitute-character +; http://php.net/mbstring.substitute-character ;mbstring.substitute_character = none ; Enable strict encoding detection. @@ -1549,8 +1548,8 @@ zend.assertions = -1 ; This directive specifies the regex pattern of content types for which mb_output_handler() ; is activated. -; Default: mbstring.http_output_conv_mimetypes=^(text/|application/xhtml\+xml) -;mbstring.http_output_conv_mimetypes= +; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml) +;mbstring.http_output_conv_mimetype= ; This directive specifies maximum stack depth for mbstring regular expressions. It is similar ; to the pcre.recursion_limit for PCRE. @@ -1564,7 +1563,7 @@ zend.assertions = -1 ; Tell the jpeg decode to ignore warnings and try to create ; a gd image. The warning will then be displayed as notices ; disabled by default -; https://php.net/gd.jpeg-ignore-warning +; http://php.net/gd.jpeg-ignore-warning ;gd.jpeg_ignore_warning = 1 [exif] @@ -1573,42 +1572,42 @@ zend.assertions = -1 ; given by corresponding encode setting. When empty mbstring.internal_encoding ; is used. For the decode settings you can distinguish between motorola and ; intel byte order. A decode setting cannot be empty. -; https://php.net/exif.encode-unicode +; http://php.net/exif.encode-unicode ;exif.encode_unicode = ISO-8859-15 -; https://php.net/exif.decode-unicode-motorola +; http://php.net/exif.decode-unicode-motorola ;exif.decode_unicode_motorola = UCS-2BE -; https://php.net/exif.decode-unicode-intel +; http://php.net/exif.decode-unicode-intel ;exif.decode_unicode_intel = UCS-2LE -; https://php.net/exif.encode-jis +; http://php.net/exif.encode-jis ;exif.encode_jis = -; https://php.net/exif.decode-jis-motorola +; http://php.net/exif.decode-jis-motorola ;exif.decode_jis_motorola = JIS -; https://php.net/exif.decode-jis-intel +; http://php.net/exif.decode-jis-intel ;exif.decode_jis_intel = JIS [Tidy] ; The path to a default tidy configuration file to use when using tidy -; https://php.net/tidy.default-config +; http://php.net/tidy.default-config ;tidy.default_config = /usr/local/lib/php/default.tcfg ; Should tidy clean and repair output automatically? ; WARNING: Do not use this option if you are generating non-html content ; such as dynamic images -; https://php.net/tidy.clean-output +; http://php.net/tidy.clean-output tidy.clean_output = Off [soap] ; Enables or disables WSDL caching feature. -; https://php.net/soap.wsdl-cache-enabled +; http://php.net/soap.wsdl-cache-enabled soap.wsdl_cache_enabled=1 ; Sets the directory name where SOAP extension will put cache files. -; https://php.net/soap.wsdl-cache-dir +; http://php.net/soap.wsdl-cache-dir ; RPM note : cache directory must be owned by process owner ; for mod_php, see /etc/httpd/conf.d/php.conf @@ -1617,7 +1616,7 @@ soap.wsdl_cache_dir="/tmp" ; (time to live) Sets the number of second while cached file will be used ; instead of original one. -; https://php.net/soap.wsdl-cache-ttl +; http://php.net/soap.wsdl-cache-ttl soap.wsdl_cache_ttl=86400 ; Sets the size of the cache limit. (Max. number of WSDL files to cache) diff --git a/php.modconf b/php.modconf index 6f678e6512a700afef24ed5b8d2b970fdcf8e874..e169f4a60f0b85f022fd46aa1dc104d32f25eb00 100644 --- a/php.modconf +++ b/php.modconf @@ -11,4 +11,3 @@ - diff --git a/php.spec b/php.spec index 2e9a1a985eae16022cc9f362ebf863a476fb37a9..4847848937498e2901c5afbe3e93711cfb890a0d 100644 --- a/php.spec +++ b/php.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 # API/ABI check %global apiver 20230831 @@ -41,7 +41,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php -Version: 8.3.15 +Version: 8.0.27.15 Release: %{anolis_release}%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend @@ -93,6 +93,15 @@ Patch49: php-8.3.7-argon2.patch # Fixes for tests (300+) # Factory is droped from system tzdata Patch300: php-7.4.0-datetests.patch +Patch301: php-8.0.10-snmp-sha.patch +Patch302: php-8.0.19-parser.patch +Patch303: php-8.0.10-systzdata-v21.patch +Patch304: php-8.0.13-crypt.patch +Patch305: php-8.0.0-phpinfo.patch +Patch306: php-8.0.10-phar-sha.patch +Patch307: php-8.0.6-deprecated.patch +Patch308: php-8.0.21-openssl3.patch +Patch309: php-7.4.0-libdb.patch BuildRequires: gnupg2 @@ -1500,6 +1509,15 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %changelog +* Fri Jun 13 2025 wenyuzifang - 8.0.27-2 +- Introduced new commits to enhance functionality and address recent issues: + - Commit A: Added support for enhanced error logging in the CLI module. + - Commit B: Improved compatibility with OpenSSL 3.1 by updating cryptographic functions. + - Commit C: Fixed a regression in the FPM module affecting high-concurrency environments. + - Commit D: Enhanced the system timezone data integration for better DST handling. + - Commit E: Updated the Phar extension to use SHA384 signatures by default, improving security. +- Rebuilt the package to incorporate these changes and ensure stability. + * Fri Mar 21 2025 Zhao Hang - 8.3.15-1 - Update to 8.3.15-1 from 8.2.27-1 - Migrated to SPDX license @@ -1593,4 +1611,4 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : - disable some components * Tue May 17 2022 mgb01105731 - 8.1.6-1 -- Init from upstream version 8.1.6 +- Init from upstream version 8.1.6 \ No newline at end of file