diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7a7788f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/php-8.0.13.tar.xz
+SOURCES/php-keyring.gpg
diff --git a/.php.metadata b/.php.metadata
new file mode 100644
index 0000000..383f0dd
--- /dev/null
+++ b/.php.metadata
@@ -0,0 +1,2 @@
+53e7bfb527c0be4fe1ac1022b9e2895cbc256860 SOURCES/php-8.0.13.tar.xz
+7325aa0b303d1a0187b2066e407645b5bea29c8c SOURCES/php-keyring.gpg
diff --git a/SOURCES/10-opcache.ini b/SOURCES/10-opcache.ini
new file mode 100644
index 0000000..a5be172
--- /dev/null
+++ b/SOURCES/10-opcache.ini
@@ -0,0 +1,153 @@
+; Enable Zend OPcache extension module
+zend_extension=opcache
+
+; Determines if Zend OPCache is enabled
+opcache.enable=1
+
+; Determines if Zend OPCache is enabled for the CLI version of PHP
+opcache.enable_cli=1
+
+; The OPcache shared memory storage size.
+;opcache.memory_consumption=128
+
+; The amount of memory for interned strings in Mbytes.
+;opcache.interned_strings_buffer=8
+
+; The maximum number of keys (scripts) in the OPcache hash table.
+; Only numbers between 200 and 1000000 are allowed.
+;opcache.max_accelerated_files=10000
+
+; The maximum percentage of "wasted" memory until a restart is scheduled.
+;opcache.max_wasted_percentage=5
+
+; When this directive is enabled, the OPcache appends the current working
+; directory to the script key, thus eliminating possible collisions between
+; files with the same name (basename). Disabling the directive improves
+; performance, but may break existing applications.
+;opcache.use_cwd=1
+
+; When disabled, you must reset the OPcache manually or restart the
+; webserver for changes to the filesystem to take effect.
+;opcache.validate_timestamps=1
+
+; How often (in seconds) to check file timestamps for changes to the shared
+; memory storage allocation. ("1" means validate once per second, but only
+; once per request. "0" means always validate)
+;opcache.revalidate_freq=2
+
+; Enables or disables file search in include_path optimization
+;opcache.revalidate_path=0
+
+; If disabled, all PHPDoc comments are dropped from the code to reduce the
+; size of the optimized code.
+;opcache.save_comments=1
+
+; If enabled, compilation warnings (including notices and deprecations) will
+; be recorded and replayed each time a file is included. Otherwise, compilation
+; warnings will only be emitted when the file is first cached.
+;opcache.record_warnings=0
+
+; Allow file existence override (file_exists, etc.) performance feature.
+;opcache.enable_file_override=0
+
+; A bitmask, where each bit enables or disables the appropriate OPcache
+; passes
+;opcache.optimization_level=0x7FFFBFFF
+
+; This hack should only be enabled to work around "Cannot redeclare class"
+; errors.
+;opcache.dups_fix=0
+
+; The location of the OPcache blacklist file (wildcards allowed).
+; Each OPcache blacklist file is a text file that holds the names of files
+; that should not be accelerated.
+opcache.blacklist_filename=/etc/php.d/opcache*.blacklist
+
+; Allows exclusion of large files from being cached. By default all files
+; are cached.
+;opcache.max_file_size=0
+
+; Check the cache checksum each N requests.
+; The default value of "0" means that the checks are disabled.
+;opcache.consistency_checks=0
+
+; How long to wait (in seconds) for a scheduled restart to begin if the cache
+; is not being accessed.
+;opcache.force_restart_timeout=180
+
+; OPcache error_log file name. Empty string assumes "stderr".
+;opcache.error_log=
+
+; All OPcache errors go to the Web server log.
+; By default, only fatal errors (level 0) or errors (level 1) are logged.
+; You can also enable warnings (level 2), info messages (level 3) or
+; debug messages (level 4).
+;opcache.log_verbosity_level=1
+
+; Preferred Shared Memory back-end. Leave empty and let the system decide.
+;opcache.preferred_memory_model=
+
+; Protect the shared memory from unexpected writing during script execution.
+; Useful for internal debugging only.
+;opcache.protect_memory=0
+
+; Allows calling OPcache API functions only from PHP scripts which path is
+; started from specified string. The default "" means no restriction
+;opcache.restrict_api=
+
+; Enables and sets the second level cache directory.
+; It should improve performance when SHM memory is full, at server restart or
+; SHM reset. The default "" disables file based caching.
+; RPM note : file cache directory must be owned by process owner
+; for mod_php, see /etc/httpd/conf.d/php.conf
+; for php-fpm, see /etc/php-fpm.d/*conf
+;opcache.file_cache=
+
+; Enables or disables opcode caching in shared memory.
+;opcache.file_cache_only=0
+
+; Enables or disables checksum validation when script loaded from file cache.
+;opcache.file_cache_consistency_checks=1
+
+; Implies opcache.file_cache_only=1 for a certain process that failed to
+; reattach to the shared memory (for Windows only). Explicitly enabled file
+; cache is required.
+;opcache.file_cache_fallback=1
+
+; Enables or disables copying of PHP code (text segment) into HUGE PAGES.
+; This should improve performance, but requires appropriate OS configuration.
+opcache.huge_code_pages=0
+
+; Validate cached file permissions.
+; Leads OPcache to check file readability on each access to cached file.
+; This directive should be enabled in shared hosting environment, when few
+; users (PHP-FPM pools) reuse the common OPcache shared memory.
+;opcache.validate_permission=0
+
+; Prevent name collisions in chroot'ed environment.
+; This directive prevents file name collisions in different "chroot"
+; environments. It should be enabled for sites that may serve requests in
+; different "chroot" environments.
+;opcache.validate_root=0
+
+; If specified, it produces opcode dumps for debugging different stages of
+; optimizations.
+;opcache.opt_debug_level=0
+
+; Specifies a PHP script that is going to be compiled and executed at server
+; start-up.
+; http://php.net/opcache.preload
+;opcache.preload=
+
+; Preloading code as root is not allowed for security reasons. This directive
+; facilitates to let the preloading to be run as another user.
+; http://php.net/opcache.preload_user
+;opcache.preload_user=
+
+; Prevents caching files that are less than this number of seconds old. It
+; protects from caching of incompletely updated files. In case all file updates
+; on your site are atomic, you may increase performance by setting it to "0".
+;opcache.file_update_protection=2
+
+; Absolute path used to store shared lockfiles (for *nix only).
+;opcache.lockfile_path=/tmp
diff --git a/SOURCES/20-ffi.ini b/SOURCES/20-ffi.ini
new file mode 100644
index 0000000..0bce40d
--- /dev/null
+++ b/SOURCES/20-ffi.ini
@@ -0,0 +1,13 @@
+; Enable ffi extension module
+extension=ffi
+
+; FFI API restriction. Possibe values:
+; "preload" - enabled in CLI scripts and preloaded files (default)
+; "false" - always disabled
+; "true" - always enabled
+;ffi.enable=preload
+
+; List of headers files to preload, wildcard patterns allowed.
+; /usr/share/php/preload used by for RPM packages
+; /usr/local/share/php/preload may be used for local files
+ffi.preload=/usr/share/php/preload/*.h:/usr/local/share/php/preload/*.h
diff --git a/SOURCES/macros.php b/SOURCES/macros.php
new file mode 100644
index 0000000..4a039aa
--- /dev/null
+++ b/SOURCES/macros.php
@@ -0,0 +1,21 @@
+#
+# Interface versions exposed by PHP:
+#
+%php_core_api @PHP_APIVER@
+%php_zend_api @PHP_ZENDVER@
+%php_pdo_api @PHP_PDOVER@
+%php_version @PHP_VERSION@
+
+%php_extdir %{_libdir}/php/modules
+%php_ztsextdir %{_libdir}/php-zts/modules
+
+%php_inidir %{_sysconfdir}/php.d
+%php_ztsinidir %{_sysconfdir}/php-zts.d
+
+%php_incldir %{_includedir}/php
+%php_ztsincldir %{_includedir}/php-zts/php
+
+%__php %{_bindir}/php
+%__ztsphp %{_bindir}/zts-php
+
+%pecl_xmldir %{_sharedstatedir}/php/peclxml
diff --git a/SOURCES/nginx-fpm.conf b/SOURCES/nginx-fpm.conf
new file mode 100644
index 0000000..a69df39
--- /dev/null
+++ b/SOURCES/nginx-fpm.conf
@@ -0,0 +1,6 @@
+# PHP-FPM FastCGI server
+# network or unix domain socket configuration
+
+upstream php-fpm {
+ server unix:/run/php-fpm/www.sock;
+}
diff --git a/SOURCES/nginx-php.conf b/SOURCES/nginx-php.conf
new file mode 100644
index 0000000..1df1b04
--- /dev/null
+++ b/SOURCES/nginx-php.conf
@@ -0,0 +1,16 @@
+# pass the PHP scripts to FastCGI server
+#
+# See conf.d/php-fpm.conf for socket configuration
+#
+index index.php index.html index.htm;
+
+location ~ \.(php|phar)(/.*)?$ {
+ fastcgi_split_path_info ^(.+\.(?:php|phar))(/.*)$;
+
+ fastcgi_intercept_errors on;
+ fastcgi_index index.php;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ fastcgi_pass php-fpm;
+}
diff --git a/SOURCES/opcache-default.blacklist b/SOURCES/opcache-default.blacklist
new file mode 100644
index 0000000..0cc2e18
--- /dev/null
+++ b/SOURCES/opcache-default.blacklist
@@ -0,0 +1,11 @@
+; The blacklist file is a text file that holds the names of files
+; that should not be accelerated. The file format is to add each filename
+; to a new line. The filename may be a full path or just a file prefix
+; (i.e., /var/www/x blacklists all the files and directories in /var/www
+; that start with 'x'). Line starting with a ; are ignored (comments).
+; Files are usually triggered by one of the following three reasons:
+; 1) Directories that contain auto generated code, like Smarty or ZFW cache.
+; 2) Code that does not work well when accelerated, due to some delayed
+; compile time evaluation.
+; 3) Code that triggers an OPcache bug.
+
diff --git a/SOURCES/php-7.2.0-includedir.patch b/SOURCES/php-7.2.0-includedir.patch
new file mode 100644
index 0000000..6d9a871
--- /dev/null
+++ b/SOURCES/php-7.2.0-includedir.patch
@@ -0,0 +1,11 @@
+--- php-7.2.0/configure.ac.includedir
++++ php-7.2.0/configure.ac
+@@ -1230,7 +1230,7 @@
+ EXPANDED_DATADIR=$datadir
+ EXPANDED_PHP_CONFIG_FILE_PATH=`eval echo "$PHP_CONFIG_FILE_PATH"`
+ EXPANDED_PHP_CONFIG_FILE_SCAN_DIR=`eval echo "$PHP_CONFIG_FILE_SCAN_DIR"`
+-INCLUDE_PATH=.:$EXPANDED_PEAR_INSTALLDIR
++INCLUDE_PATH=.:$EXPANDED_PEAR_INSTALLDIR:${EXPANDED_DATADIR}/php
+
+ exec_prefix=$old_exec_prefix
+ libdir=$old_libdir
diff --git a/SOURCES/php-7.4.0-datetests.patch b/SOURCES/php-7.4.0-datetests.patch
new file mode 100644
index 0000000..8c437e5
--- /dev/null
+++ b/SOURCES/php-7.4.0-datetests.patch
@@ -0,0 +1,98 @@
+diff -up ./ext/date/tests/bug33414-2.phpt.datetests ./ext/date/tests/bug33414-2.phpt
+--- ./ext/date/tests/bug33414-2.phpt.datetests 2020-04-09 14:06:11.000000000 +0200
++++ ./ext/date/tests/bug33414-2.phpt 2020-04-09 14:40:00.809433489 +0200
+@@ -74,10 +74,10 @@ $strtotime_tstamp = strtotime("next Frid
+ print "result=".date("l Y-m-d H:i:s T I", $strtotime_tstamp)."\n";
+ print "wanted=Friday 00:00:00\n\n";
+ ?>
+---EXPECT--
++--EXPECTF--
+ TZ=Pacific/Rarotonga - wrong day.
+-tStamp=Thursday 1970-01-01 17:17:17 -1030 0
+-result=Tuesday 1970-01-06 00:00:00 -1030 0
++tStamp=Thursday 1970-01-01 17:17:17 %s
++result=Tuesday 1970-01-06 00:00:00 %s
+ wanted=Tuesday 00:00:00
+
+ TZ=Atlantic/South_Georgia - wrong day.
+@@ -91,13 +91,13 @@ result=Monday 2005-04-04 00:00:00 EDT 1
+ wanted=Monday 00:00:00
+
+ TZ=Pacific/Enderbury - wrong day, off by 2 days.
+-tStamp=Thursday 1970-01-01 17:17:17 -12 0
+-result=Monday 1970-01-05 00:00:00 -12 0
++tStamp=Thursday 1970-01-01 17:17:17 %s
++result=Monday 1970-01-05 00:00:00 %s
+ wanted=Monday 00:00:00
+
+ TZ=Pacific/Kiritimati - wrong day, off by 2 days.
+-tStamp=Thursday 1970-01-01 17:17:17 -1040 0
+-result=Monday 1970-01-05 00:00:00 -1040 0
++tStamp=Thursday 1970-01-01 17:17:17 %s
++result=Monday 1970-01-05 00:00:00 %s
+ wanted=Monday 00:00:00
+
+ TZ=America/Managua - wrong day.
+@@ -106,13 +106,13 @@ result=Tuesday 2005-04-12 00:00:00 CDT 1
+ wanted=Tuesday 00:00:00
+
+ TZ=Pacific/Pitcairn - wrong day.
+-tStamp=Thursday 1970-01-01 17:17:17 -0830 0
+-result=Wednesday 1970-01-07 00:00:00 -0830 0
++tStamp=Thursday 1970-01-01 17:17:17 %s
++result=Wednesday 1970-01-07 00:00:00 %s
+ wanted=Wednesday 00:00:00
+
+ TZ=Pacific/Fakaofo - wrong day.
+-tStamp=Thursday 1970-01-01 17:17:17 -11 0
+-result=Saturday 1970-01-03 00:00:00 -11 0
++tStamp=Thursday 1970-01-01 17:17:17 %s
++result=Saturday 1970-01-03 00:00:00 %s
+ wanted=Saturday 00:00:00
+
+ TZ=Pacific/Johnston - wrong day.
+diff -up ./ext/date/tests/bug66985.phpt.datetests ./ext/date/tests/bug66985.phpt
+--- ./ext/date/tests/bug66985.phpt.datetests 2020-04-09 14:06:11.000000000 +0200
++++ ./ext/date/tests/bug66985.phpt 2020-04-09 14:40:37.099288185 +0200
+@@ -3,7 +3,7 @@ Bug #66985 (Some timezones are no longer
+ --FILE--
+ <?php
+ $zones = array(
+- "CST6CDT", "Cuba", "Egypt", "Eire", "EST5EDT", "Factory", "GB-Eire",
++ "CST6CDT", "Cuba", "Egypt", "Eire", "EST5EDT", "GB-Eire",
+ "GMT0", "Greenwich", "Hongkong", "Iceland", "Iran", "Israel", "Jamaica",
+ "Japan", "Kwajalein", "Libya", "MST7MDT", "Navajo", "NZ-CHAT", "Poland",
+ "Portugal", "PST8PDT", "Singapore", "Turkey", "Universal", "W-SU",
+@@ -45,11 +45,6 @@ DateTimeZone Object
+ )
+ DateTimeZone Object
+ (
+- [timezone_type] => 3
+- [timezone] => Factory
+-)
+-DateTimeZone Object
+-(
+ [timezone_type] => 3
+ [timezone] => GB-Eire
+ )
+diff -up ./ext/date/tests/strtotime3-64bit.phpt.datetests ./ext/date/tests/strtotime3-64bit.phpt
+--- ./ext/date/tests/strtotime3-64bit.phpt.datetests 2020-04-09 14:06:11.000000000 +0200
++++ ./ext/date/tests/strtotime3-64bit.phpt 2020-04-09 14:40:00.809433489 +0200
+@@ -44,7 +44,7 @@ foreach ($strs as $str) {
+ }
+
+ ?>
+---EXPECT--
++--EXPECTF--
+ bool(false)
+ bool(false)
+ string(31) "Thu, 15 Jun 2006 00:00:00 +0100"
+@@ -53,7 +53,7 @@ bool(false)
+ string(31) "Fri, 16 Jun 2006 23:49:12 +0100"
+ bool(false)
+ string(31) "Fri, 16 Jun 2006 02:22:00 +0100"
+-string(31) "Sun, 16 Jun 0222 02:22:00 -0036"
++string(31) "Sun, 16 Jun 0222 02:22:00 %s"
+ string(31) "Fri, 16 Jun 2006 02:22:33 +0100"
+ bool(false)
+ string(31) "Tue, 02 Mar 2004 00:00:00 +0000"
diff --git a/SOURCES/php-7.4.0-httpd.patch b/SOURCES/php-7.4.0-httpd.patch
new file mode 100644
index 0000000..34f7c8a
--- /dev/null
+++ b/SOURCES/php-7.4.0-httpd.patch
@@ -0,0 +1,27 @@
+Disable MPM detection
+
+mod_php is build twice
+- as NTS without option
+- as ZTS using --enable-maintainer-zts
+
+diff --git a/sapi/apache2handler/config.m4 b/sapi/apache2handler/config.m4
+--- a/sapi/apache2handler/config.m4
++++ b/sapi/apache2handler/config.m4
+@@ -105,17 +105,6 @@ if test "$PHP_APXS2" != "no"; then
+ ;;
+ esac
+
+- if test "$APACHE_VERSION" -lt 2004001; then
+- APXS_MPM=`$APXS -q MPM_NAME`
+- if test "$APXS_MPM" != "prefork" && test "$APXS_MPM" != "peruser" && test "$APXS_MPM" != "itk"; then
+- PHP_BUILD_THREAD_SAFE
+- fi
+- else
+- APACHE_THREADED_MPM=`$APXS_HTTPD -V 2>/dev/null | grep 'threaded:.*yes'`
+- if test -n "$APACHE_THREADED_MPM"; then
+- PHP_BUILD_THREAD_SAFE
+- fi
+- fi
+ AC_MSG_RESULT(yes)
+ PHP_SUBST(APXS)
+ else
diff --git a/SOURCES/php-7.4.0-ldap_r.patch b/SOURCES/php-7.4.0-ldap_r.patch
new file mode 100644
index 0000000..13566b4
--- /dev/null
+++ b/SOURCES/php-7.4.0-ldap_r.patch
@@ -0,0 +1,19 @@
+
+Use -lldap_r by default.
+
+diff -up php-7.4.0RC2/ext/ldap/config.m4.ldap_r php-7.4.0RC2/ext/ldap/config.m4
+--- php-7.4.0RC2/ext/ldap/config.m4.ldap_r 2019-09-17 10:21:24.769200812 +0200
++++ php-7.4.0RC2/ext/ldap/config.m4 2019-09-17 10:21:30.658181771 +0200
+@@ -68,7 +68,11 @@ if test "$PHP_LDAP" != "no"; then
+ dnl -pc removal is a hack for clang
+ MACHINE_INCLUDES=$($CC -dumpmachine | $SED 's/-pc//')
+
+- if test -f $LDAP_LIBDIR/liblber.a || test -f $LDAP_LIBDIR/liblber.$SHLIB_SUFFIX_NAME || test -f $LDAP_LIBDIR/$MACHINE_INCLUDES/liblber.a || test -f $LDAP_LIBDIR/$MACHINE_INCLUDES/liblber.$SHLIB_SUFFIX_NAME; then
++ if test -f $LDAP_LIBDIR/libldap_r.$SHLIB_SUFFIX_NAME; then
++ PHP_ADD_LIBRARY_WITH_PATH(lber, $LDAP_LIBDIR, LDAP_SHARED_LIBADD)
++ PHP_ADD_LIBRARY_WITH_PATH(ldap_r, $LDAP_LIBDIR, LDAP_SHARED_LIBADD)
++
++ elif test -f $LDAP_LIBDIR/liblber.a || test -f $LDAP_LIBDIR/liblber.$SHLIB_SUFFIX_NAME || test -f $LDAP_LIBDIR/$MACHINE_INCLUDES/liblber.a || test -f $LDAP_LIBDIR/$MACHINE_INCLUDES/liblber.$SHLIB_SUFFIX_NAME; then
+ PHP_ADD_LIBRARY_WITH_PATH(lber, $LDAP_LIBDIR, LDAP_SHARED_LIBADD)
+ PHP_ADD_LIBRARY_WITH_PATH(ldap, $LDAP_LIBDIR, LDAP_SHARED_LIBADD)
+
diff --git a/SOURCES/php-7.4.0-libdb.patch b/SOURCES/php-7.4.0-libdb.patch
new file mode 100644
index 0000000..d7c6289
--- /dev/null
+++ b/SOURCES/php-7.4.0-libdb.patch
@@ -0,0 +1,92 @@
+diff -up ./ext/dba/config.m4.libdb ./ext/dba/config.m4
+--- ./ext/dba/config.m4.libdb 2020-04-09 14:06:11.000000000 +0200
++++ ./ext/dba/config.m4 2020-04-09 14:35:08.208605065 +0200
+@@ -375,61 +375,13 @@ if test "$PHP_DB4" != "no"; then
+ dbdp4="/usr/local/BerkeleyDB.4."
+ dbdp5="/usr/local/BerkeleyDB.5."
+ for i in $PHP_DB4 ${dbdp5}1 ${dbdp5}0 ${dbdp4}8 ${dbdp4}7 ${dbdp4}6 ${dbdp4}5 ${dbdp4}4 ${dbdp4}3 ${dbdp4}2 ${dbdp4}1 ${dbdp}0 /usr/local /usr; do
+- if test -f "$i/db5/db.h"; then
+- THIS_PREFIX=$i
+- THIS_INCLUDE=$i/db5/db.h
+- break
+- elif test -f "$i/db4/db.h"; then
+- THIS_PREFIX=$i
+- THIS_INCLUDE=$i/db4/db.h
+- break
+- elif test -f "$i/include/db5.3/db.h"; then
+- THIS_PREFIX=$i
+- THIS_INCLUDE=$i/include/db5.3/db.h
+- break
+- elif test -f "$i/include/db5.1/db.h"; then
+- THIS_PREFIX=$i
+- THIS_INCLUDE=$i/include/db5.1/db.h
+- break
+- elif test -f "$i/include/db5.0/db.h"; then
+- THIS_PREFIX=$i
+- THIS_INCLUDE=$i/include/db5.0/db.h
+- break
+- elif test -f "$i/include/db4.8/db.h"; then
+- THIS_PREFIX=$i
+- THIS_INCLUDE=$i/include/db4.8/db.h
+- break
+- elif test -f "$i/include/db4.7/db.h"; then
+- THIS_PREFIX=$i
+- THIS_INCLUDE=$i/include/db4.7/db.h
+- break
+- elif test -f "$i/include/db4.6/db.h"; then
+- THIS_PREFIX=$i
+- THIS_INCLUDE=$i/include/db4.6/db.h
+- break
+- elif test -f "$i/include/db4.5/db.h"; then
+- THIS_PREFIX=$i
+- THIS_INCLUDE=$i/include/db4.5/db.h
+- break
+- elif test -f "$i/include/db4/db.h"; then
+- THIS_PREFIX=$i
+- THIS_INCLUDE=$i/include/db4/db.h
+- break
+- elif test -f "$i/include/db/db4.h"; then
+- THIS_PREFIX=$i
+- THIS_INCLUDE=$i/include/db/db4.h
+- break
+- elif test -f "$i/include/db4.h"; then
+- THIS_PREFIX=$i
+- THIS_INCLUDE=$i/include/db4.h
+- break
+- elif test -f "$i/include/db.h"; then
++ if test -f "$i/include/db.h"; then
+ THIS_PREFIX=$i
+ THIS_INCLUDE=$i/include/db.h
+ break
+ fi
+ done
+- PHP_DBA_DB_CHECK(4, db-5.3 db-5.1 db-5.0 db-4.8 db-4.7 db-4.6 db-4.5 db-4.4 db-4.3 db-4.2 db-4.1 db-4.0 db-4 db4 db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)])
++ PHP_DBA_DB_CHECK(4, db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)])
+ fi
+ PHP_DBA_STD_RESULT(db4,Berkeley DB4)
+
+diff -up ./ext/dba/dba.c.libdb ./ext/dba/dba.c
+--- ./ext/dba/dba.c.libdb 2020-04-09 14:06:11.000000000 +0200
++++ ./ext/dba/dba.c 2020-04-09 14:36:30.593275190 +0200
+@@ -50,6 +50,10 @@
+ #include "php_lmdb.h"
+ #include "dba_arginfo.h"
+
++#ifdef DB4_INCLUDE_FILE
++#include DB4_INCLUDE_FILE
++#endif
++
+ PHP_MINIT_FUNCTION(dba);
+ PHP_MSHUTDOWN_FUNCTION(dba);
+ PHP_MINFO_FUNCTION(dba);
+@@ -459,6 +463,10 @@ PHP_MINFO_FUNCTION(dba)
+
+ php_info_print_table_start();
+ php_info_print_table_row(2, "DBA support", "enabled");
++#ifdef DB_VERSION_STRING
++ php_info_print_table_row(2, "libdb header version", DB_VERSION_STRING);
++ php_info_print_table_row(2, "libdb library version", db_version(NULL, NULL, NULL));
++#endif
+ if (handlers.s) {
+ smart_str_0(&handlers);
+ php_info_print_table_row(2, "Supported handlers", ZSTR_VAL(handlers.s));
diff --git a/SOURCES/php-7.4.0-phpize.patch b/SOURCES/php-7.4.0-phpize.patch
new file mode 100644
index 0000000..fb99f3e
--- /dev/null
+++ b/SOURCES/php-7.4.0-phpize.patch
@@ -0,0 +1,35 @@
+diff -up ./scripts/phpize.in.headers ./scripts/phpize.in
+--- ./scripts/phpize.in.headers 2019-07-23 10:05:11.000000000 +0200
++++ ./scripts/phpize.in 2019-07-23 10:18:13.648098089 +0200
+@@ -165,6 +165,15 @@ phpize_autotools()
+ $PHP_AUTOHEADER || exit 1
+ }
+
++phpize_check_headers()
++{
++ if test ! -f $includedir/main/php.h; then
++ echo "Can't find PHP headers in $includedir"
++ echo "The php-devel package is required for use of this command."
++ exit 1
++ fi
++}
++
+ # Main script
+
+ case "$1" in
+@@ -183,12 +192,15 @@ case "$1" in
+
+ # Version
+ --version|-v)
++ phpize_check_headers
+ phpize_print_api_numbers
+ exit 0
+ ;;
+
+ # Default
+ *)
++ phpize_check_headers
++
+ phpize_check_configm4 0
+
+ phpize_check_build_files
diff --git a/SOURCES/php-8.0.0-embed.patch b/SOURCES/php-8.0.0-embed.patch
new file mode 100644
index 0000000..27533ea
--- /dev/null
+++ b/SOURCES/php-8.0.0-embed.patch
@@ -0,0 +1,25 @@
+diff -up ./sapi/embed/config.m4.embed ./sapi/embed/config.m4
+--- ./sapi/embed/config.m4.embed 2020-07-07 13:51:05.879764972 +0200
++++ ./sapi/embed/config.m4 2020-07-07 13:52:50.128412148 +0200
+@@ -12,7 +12,8 @@ if test "$PHP_EMBED" != "no"; then
+ yes|shared)
+ LIBPHP_CFLAGS="-shared"
+ PHP_EMBED_TYPE=shared
+- INSTALL_IT="\$(mkinstalldirs) \$(INSTALL_ROOT)\$(prefix)/lib; \$(INSTALL) -m 0755 $SAPI_SHARED \$(INSTALL_ROOT)\$(prefix)/lib"
++ EXTRA_LDFLAGS="$EXTRA_LDFLAGS -release \$(PHP_MAJOR_VERSION).\$(PHP_MINOR_VERSION)"
++ INSTALL_IT="\$(mkinstalldirs) \$(INSTALL_ROOT)\$(libdir); \$(LIBTOOL) --mode=install \$(INSTALL) -m 0755 \$(OVERALL_TARGET) \$(INSTALL_ROOT)\$(libdir)"
+ ;;
+ static)
+ LIBPHP_CFLAGS="-static"
+diff -up ./scripts/php-config.in.embed ./scripts/php-config.in
+--- ./scripts/php-config.in.embed 2020-07-07 12:54:42.000000000 +0200
++++ ./scripts/php-config.in 2020-07-07 13:51:05.880764968 +0200
+@@ -18,7 +18,7 @@ exe_extension="@EXEEXT@"
+ php_cli_binary=NONE
+ php_cgi_binary=NONE
+ configure_options="@CONFIGURE_OPTIONS@"
+-php_sapis="@PHP_INSTALLED_SAPIS@"
++php_sapis="apache2handler litespeed fpm phpdbg @PHP_INSTALLED_SAPIS@"
+ ini_dir="@EXPANDED_PHP_CONFIG_FILE_SCAN_DIR@"
+ ini_path="@EXPANDED_PHP_CONFIG_FILE_PATH@"
+
diff --git a/SOURCES/php-8.0.0-parser.patch b/SOURCES/php-8.0.0-parser.patch
new file mode 100644
index 0000000..f5da3b5
--- /dev/null
+++ b/SOURCES/php-8.0.0-parser.patch
@@ -0,0 +1,16 @@
+diff -up ./build/gen_stub.php.syslib ./build/gen_stub.php
+--- ./build/gen_stub.php.syslib 2020-06-25 08:11:51.782046813 +0200
++++ ./build/gen_stub.php 2020-06-25 08:13:11.188860368 +0200
+@@ -1075,6 +1075,12 @@ function initPhpParser() {
+ }
+
+ $isInitialized = true;
++
++ if (file_exists('/usr/share/php/PhpParser4/autoload.php')) {
++ require_once '/usr/share/php/PhpParser4/autoload.php';
++ return;
++ }
++
+ $version = "4.9.0";
+ $phpParserDir = __DIR__ . "/PHP-Parser-$version";
+ if (!is_dir($phpParserDir)) {
diff --git a/SOURCES/php-8.0.0-phpinfo.patch b/SOURCES/php-8.0.0-phpinfo.patch
new file mode 100644
index 0000000..391d996
--- /dev/null
+++ b/SOURCES/php-8.0.0-phpinfo.patch
@@ -0,0 +1,118 @@
+
+Drop "Configure Command" from phpinfo as it doesn't
+provide any useful information.
+The available extensions are not related to this command.
+
+Replace full GCC name by gcc in php -v output
+
+
+Also apply
+
+From 9bf43c45908433d382f0499d529849172d0d8206 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Mon, 28 Dec 2020 08:33:09 +0100
+Subject: [PATCH] rename COMPILER and ARCHITECTURE macro (too generic)
+
+---
+ configure.ac | 4 ++--
+ ext/standard/info.c | 8 ++++----
+ sapi/cli/php_cli.c | 8 ++++----
+ win32/build/confutils.js | 10 +++++-----
+ 4 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 9d9c8b155b07..143dc061346b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1289,10 +1289,10 @@ if test -n "${PHP_BUILD_PROVIDER}"; then
+ AC_DEFINE_UNQUOTED(PHP_BUILD_PROVIDER,"$PHP_BUILD_PROVIDER",[build provider])
+ fi
+ if test -n "${PHP_BUILD_COMPILER}"; then
+- AC_DEFINE_UNQUOTED(COMPILER,"$PHP_BUILD_COMPILER",[used compiler for build])
++ AC_DEFINE_UNQUOTED(PHP_BUILD_COMPILER,"$PHP_BUILD_COMPILER",[used compiler for build])
+ fi
+ if test -n "${PHP_BUILD_ARCH}"; then
+- AC_DEFINE_UNQUOTED(ARCHITECTURE,"$PHP_BUILD_ARCH",[build architecture])
++ AC_DEFINE_UNQUOTED(PHP_BUILD_ARCH,"$PHP_BUILD_ARCH",[build architecture])
+ fi
+
+ PHP_SUBST_OLD(PHP_INSTALLED_SAPIS)
+diff --git a/ext/standard/info.c b/ext/standard/info.c
+index 153cb6cde014..8ceef31d9fe4 100644
+--- a/ext/standard/info.c
++++ b/ext/standard/info.c
+@@ -798,11 +798,11 @@ PHPAPI ZEND_COLD void php_print_info(int flag)
+ #ifdef PHP_BUILD_PROVIDER
+ php_info_print_table_row(2, "Build Provider", PHP_BUILD_PROVIDER);
+ #endif
+-#ifdef COMPILER
+- php_info_print_table_row(2, "Compiler", COMPILER);
++#ifdef PHP_BUILD_COMPILER
++ php_info_print_table_row(2, "Compiler", PHP_BUILD_COMPILER);
+ #endif
+-#ifdef ARCHITECTURE
+- php_info_print_table_row(2, "Architecture", ARCHITECTURE);
++#ifdef PHP_BUILD_ARCH
++ php_info_print_table_row(2, "Architecture", PHP_BUILD_ARCH);
+ #endif
+ #ifdef CONFIGURE_COMMAND
+ php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND );
+diff --git a/sapi/cli/php_cli.c b/sapi/cli/php_cli.c
+index 5092fb0ffd68..9d296acec631 100644
+--- a/sapi/cli/php_cli.c
++++ b/sapi/cli/php_cli.c
+@@ -640,12 +640,12 @@ static int do_cli(int argc, char **argv) /* {{{ */
+ #else
+ "NTS "
+ #endif
+-#ifdef COMPILER
+- COMPILER
++#ifdef PHP_BUILD_COMPILER
++ PHP_BUILD_COMPILER
+ " "
+ #endif
+-#ifdef ARCHITECTURE
+- ARCHITECTURE
++#ifdef PHP_BUILD_ARCH
++ PHP_BUILD_ARCH
+ " "
+ #endif
+ #if ZEND_DEBUG
+
+diff -up ./ext/standard/info.c.phpinfo ./ext/standard/info.c
+--- ./ext/standard/info.c.phpinfo 2020-07-21 10:49:31.000000000 +0200
++++ ./ext/standard/info.c 2020-07-21 11:41:56.295633523 +0200
+@@ -804,9 +804,6 @@ PHPAPI ZEND_COLD void php_print_info(int
+ #ifdef PHP_BUILD_ARCH
+ php_info_print_table_row(2, "Architecture", PHP_BUILD_ARCH);
+ #endif
+-#ifdef CONFIGURE_COMMAND
+- php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND );
+-#endif
+
+ if (sapi_module.pretty_name) {
+ php_info_print_table_row(2, "Server API", sapi_module.pretty_name );
+diff -up ./ext/standard/tests/general_functions/phpinfo.phpt.phpinfo ./ext/standard/tests/general_functions/phpinfo.phpt
+--- ./ext/standard/tests/general_functions/phpinfo.phpt.phpinfo 2020-07-21 10:49:31.000000000 +0200
++++ ./ext/standard/tests/general_functions/phpinfo.phpt 2020-07-21 11:41:56.296633522 +0200
+@@ -17,7 +17,6 @@ PHP Version => %s
+
+ System => %s
+ Build Date => %s%a
+-Configure Command => %s
+ Server API => Command Line Interface
+ Virtual Directory Support => %s
+ Configuration File (php.ini) Path => %s
+diff -up ./sapi/cli/php_cli.c.phpinfo ./sapi/cli/php_cli.c
+--- ./sapi/cli/php_cli.c.phpinfo 2020-07-21 11:43:38.812475300 +0200
++++ ./sapi/cli/php_cli.c 2020-07-21 11:43:45.783464540 +0200
+@@ -641,8 +641,7 @@ static int do_cli(int argc, char **argv)
+ "NTS "
+ #endif
+ #ifdef PHP_BUILD_COMPILER
+- PHP_BUILD_COMPILER
+- " "
++ "gcc "
+ #endif
+ #ifdef PHP_BUILD_ARCH
+ PHP_BUILD_ARCH
diff --git a/SOURCES/php-8.0.10-openssl3.patch b/SOURCES/php-8.0.10-openssl3.patch
new file mode 100644
index 0000000..6070150
--- /dev/null
+++ b/SOURCES/php-8.0.10-openssl3.patch
@@ -0,0 +1,4761 @@
+From 3d13d14f318267b27f99025b37a2061c835e0727 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Sun, 8 Aug 2021 17:38:30 +0200
+Subject: [PATCH 01/39] minimal fix for openssl 3.0 (#7002)
+
+(cherry picked from commit a0972deb0f441fc7991001cb51efc994b70a3b51)
+---
+ ext/openssl/openssl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 19e7a0d79e..015cd89aa6 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -1221,7 +1221,9 @@ PHP_MINIT_FUNCTION(openssl)
+ REGISTER_LONG_CONSTANT("OPENSSL_CMS_NOSIGS", CMS_NOSIGS, CONST_CS|CONST_PERSISTENT);
+
+ REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_PADDING", RSA_PKCS1_PADDING, CONST_CS|CONST_PERSISTENT);
++#ifdef RSA_SSLV23_PADDING
+ REGISTER_LONG_CONSTANT("OPENSSL_SSLV23_PADDING", RSA_SSLV23_PADDING, CONST_CS|CONST_PERSISTENT);
++#endif
+ REGISTER_LONG_CONSTANT("OPENSSL_NO_PADDING", RSA_NO_PADDING, CONST_CS|CONST_PERSISTENT);
+ REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING, CONST_CS|CONST_PERSISTENT);
+
+--
+2.31.1
+
+From fc0dbc36e4563a5146aa5345e8520f6601ec7030 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 4 Aug 2021 09:41:39 +0200
+Subject: [PATCH 02/39] Optimize openssl memory leak test
+
+Just do one call and check whether memory usage changes. Looping
+this 100000 times is extremely slow with debug builds of openssl.
+
+(cherry picked from commit 6249172ae37f958f0a3ef92cb55d5bf7affa8214)
+---
+ ext/openssl/tests/bug79145.phpt | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/ext/openssl/tests/bug79145.phpt b/ext/openssl/tests/bug79145.phpt
+index 4f3dc9e766..c9c7df2953 100644
+--- a/ext/openssl/tests/bug79145.phpt
++++ b/ext/openssl/tests/bug79145.phpt
+@@ -3,7 +3,6 @@ Bug #79145 (openssl memory leak)
+ --SKIPIF--
+ <?php
+ if (!extension_loaded('openssl')) die('skip openssl extension not available');
+-if (getenv('SKIP_SLOW_TESTS')) die('skip slow test');
+ ?>
+ --FILE--
+ <?php
+@@ -14,13 +13,14 @@ j85Q5OliVxOdB1LoTOsOmfFf/fdvpU3DsOWsDKlVrL41MHxXorwrwOiys/r/gv2d
+ C9C4JmhTOjBVAK8SewIDAQAC
+ -----END PUBLIC KEY-----';
+
++$a = openssl_get_publickey($b);
++@openssl_free_key($a);
++
+ $start = memory_get_usage(true);
+-for ($i = 0; $i < 100000; $i++) {
+- $a = openssl_get_publickey($b);
+- @openssl_free_key($a);
+-}
++$a = openssl_get_publickey($b);
++@openssl_free_key($a);
+ $end = memory_get_usage(true);
+-var_dump($end <= 1.1 * $start);
++var_dump($end == $start);
+ ?>
+ --EXPECT--
+ bool(true)
+--
+2.31.1
+
+From da4fbfb99a6dfc9dbaaa04a4bc8068a7e9bfa46c Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 4 Aug 2021 09:46:07 +0200
+Subject: [PATCH 03/39] Reduce security level in some OpenSSL tests
+
+This allows tests using older protocols and algorithms to work
+under OpenSSL 3.
+
+Also account for minor changes in error reporting.
+
+(cherry picked from commit 3ea57cf83834e07aae6953201015e39b4a2ac6dd)
+---
+ ext/openssl/tests/session_meta_capture.phpt | 4 ++--
+ ext/openssl/tests/stream_crypto_flags_001.phpt | 4 ++--
+ ext/openssl/tests/stream_crypto_flags_002.phpt | 4 ++--
+ ext/openssl/tests/stream_crypto_flags_003.phpt | 4 ++--
+ ext/openssl/tests/stream_crypto_flags_004.phpt | 4 ++--
+ ext/openssl/tests/stream_security_level.phpt | 4 ++--
+ ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt | 4 ++--
+ ext/openssl/tests/tls_wrapper.phpt | 4 ++--
+ ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt | 4 ++--
+ ext/openssl/tests/tlsv1.0_wrapper.phpt | 4 ++--
+ ext/openssl/tests/tlsv1.1_wrapper.phpt | 4 ++--
+ 11 files changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/ext/openssl/tests/session_meta_capture.phpt b/ext/openssl/tests/session_meta_capture.phpt
+index 58b48e9c59..8a0f403a15 100644
+--- a/ext/openssl/tests/session_meta_capture.phpt
++++ b/ext/openssl/tests/session_meta_capture.phpt
+@@ -15,7 +15,7 @@ $serverCode = <<<'CODE'
+ $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
+ $serverCtx = stream_context_create(['ssl' => [
+ 'local_cert' => '%s',
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
+@@ -36,7 +36,7 @@ $clientCode = <<<'CODE'
+ 'verify_peer' => true,
+ 'cafile' => '%s',
+ 'peer_name' => '%s',
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ phpt_wait();
+diff --git a/ext/openssl/tests/stream_crypto_flags_001.phpt b/ext/openssl/tests/stream_crypto_flags_001.phpt
+index acd97110ff..a86e0f8a6c 100644
+--- a/ext/openssl/tests/stream_crypto_flags_001.phpt
++++ b/ext/openssl/tests/stream_crypto_flags_001.phpt
+@@ -15,7 +15,7 @@ $serverCode = <<<'CODE'
+ $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
+ $serverCtx = stream_context_create(['ssl' => [
+ 'local_cert' => '%s',
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
+@@ -35,7 +35,7 @@ $clientCode = <<<'CODE'
+ 'verify_peer' => true,
+ 'cafile' => '%s',
+ 'peer_name' => '%s',
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ phpt_wait();
+diff --git a/ext/openssl/tests/stream_crypto_flags_002.phpt b/ext/openssl/tests/stream_crypto_flags_002.phpt
+index 15b1ec2cfc..2870bdc814 100644
+--- a/ext/openssl/tests/stream_crypto_flags_002.phpt
++++ b/ext/openssl/tests/stream_crypto_flags_002.phpt
+@@ -15,7 +15,7 @@ $serverCode = <<<'CODE'
+ $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
+ $serverCtx = stream_context_create(['ssl' => [
+ 'local_cert' => '%s',
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
+@@ -36,7 +36,7 @@ $clientCode = <<<'CODE'
+ 'verify_peer' => true,
+ 'cafile' => '%s',
+ 'peer_name' => '%s',
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ phpt_wait();
+diff --git a/ext/openssl/tests/stream_crypto_flags_003.phpt b/ext/openssl/tests/stream_crypto_flags_003.phpt
+index 35f83f22dd..da1f1ae228 100644
+--- a/ext/openssl/tests/stream_crypto_flags_003.phpt
++++ b/ext/openssl/tests/stream_crypto_flags_003.phpt
+@@ -19,7 +19,7 @@ $serverCode = <<<'CODE'
+
+ // Only accept TLSv1.0 and TLSv1.2 connections
+ 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_0_SERVER | STREAM_CRYPTO_METHOD_TLSv1_2_SERVER,
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
+@@ -40,7 +40,7 @@ $clientCode = <<<'CODE'
+ 'verify_peer' => true,
+ 'cafile' => '%s',
+ 'peer_name' => '%s',
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ phpt_wait();
+diff --git a/ext/openssl/tests/stream_crypto_flags_004.phpt b/ext/openssl/tests/stream_crypto_flags_004.phpt
+index d9bfcfea3f..b7626b8ea7 100644
+--- a/ext/openssl/tests/stream_crypto_flags_004.phpt
++++ b/ext/openssl/tests/stream_crypto_flags_004.phpt
+@@ -16,7 +16,7 @@ $serverCode = <<<'CODE'
+ $serverCtx = stream_context_create(['ssl' => [
+ 'local_cert' => '%s',
+ 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_0_SERVER,
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
+@@ -37,7 +37,7 @@ $clientCode = <<<'CODE'
+ 'verify_peer' => true,
+ 'cafile' => '%s',
+ 'peer_name' => '%s',
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ phpt_wait();
+diff --git a/ext/openssl/tests/stream_security_level.phpt b/ext/openssl/tests/stream_security_level.phpt
+index 44ba4c6d57..b8a8796de3 100644
+--- a/ext/openssl/tests/stream_security_level.phpt
++++ b/ext/openssl/tests/stream_security_level.phpt
+@@ -24,7 +24,7 @@ $serverCode = <<<'CODE'
+ 'local_cert' => '%s',
+ // Make sure the server side starts up successfully if the default security level is
+ // higher. We want to test the error at the client side.
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
+@@ -66,7 +66,7 @@ ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
+ ?>
+ --EXPECTF--
+ Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
+-error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in %s : eval()'d code on line %d
++error:%s:SSL routines:%S:certificate verify failed in %s : eval()'d code on line %d
+
+ Warning: stream_socket_client(): Failed to enable crypto in %s : eval()'d code on line %d
+
+diff --git a/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt b/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt
+index ac31192da4..73dd812291 100644
+--- a/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt
++++ b/ext/openssl/tests/tls_min_v1.0_max_v1.1_wrapper.phpt
+@@ -15,7 +15,7 @@ $serverCode = <<<'CODE'
+ 'local_cert' => '%s',
+ 'min_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_0,
+ 'max_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_1,
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+@@ -32,7 +32,7 @@ $clientCode = <<<'CODE'
+ $ctx = stream_context_create(['ssl' => [
+ 'verify_peer' => false,
+ 'verify_peer_name' => false,
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ phpt_wait();
+diff --git a/ext/openssl/tests/tls_wrapper.phpt b/ext/openssl/tests/tls_wrapper.phpt
+index d79e978c10..3488f6f7f0 100644
+--- a/ext/openssl/tests/tls_wrapper.phpt
++++ b/ext/openssl/tests/tls_wrapper.phpt
+@@ -14,7 +14,7 @@ $serverCode = <<<'CODE'
+ $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
+ $ctx = stream_context_create(['ssl' => [
+ 'local_cert' => '%s',
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+@@ -31,7 +31,7 @@ $clientCode = <<<'CODE'
+ $ctx = stream_context_create(['ssl' => [
+ 'verify_peer' => false,
+ 'verify_peer_name' => false,
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ phpt_wait();
+diff --git a/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt b/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt
+index b419179b3f..c8a0245601 100644
+--- a/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt
++++ b/ext/openssl/tests/tls_wrapper_with_tls_v1.3.phpt
+@@ -14,7 +14,7 @@ $serverCode = <<<'CODE'
+ $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
+ $ctx = stream_context_create(['ssl' => [
+ 'local_cert' => '%s',
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+@@ -31,7 +31,7 @@ $clientCode = <<<'CODE'
+ $ctx = stream_context_create(['ssl' => [
+ 'verify_peer' => false,
+ 'verify_peer_name' => false,
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ phpt_wait();
+diff --git a/ext/openssl/tests/tlsv1.0_wrapper.phpt b/ext/openssl/tests/tlsv1.0_wrapper.phpt
+index adbe7b6308..fc802662ac 100644
+--- a/ext/openssl/tests/tlsv1.0_wrapper.phpt
++++ b/ext/openssl/tests/tlsv1.0_wrapper.phpt
+@@ -13,7 +13,7 @@ $serverCode = <<<'CODE'
+ $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
+ $ctx = stream_context_create(['ssl' => [
+ 'local_cert' => '%s',
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ $server = stream_socket_server('tlsv1.0://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+@@ -30,7 +30,7 @@ $clientCode = <<<'CODE'
+ $ctx = stream_context_create(['ssl' => [
+ 'verify_peer' => false,
+ 'verify_peer_name' => false,
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ phpt_wait();
+diff --git a/ext/openssl/tests/tlsv1.1_wrapper.phpt b/ext/openssl/tests/tlsv1.1_wrapper.phpt
+index c1aaa04919..84a137b5f4 100644
+--- a/ext/openssl/tests/tlsv1.1_wrapper.phpt
++++ b/ext/openssl/tests/tlsv1.1_wrapper.phpt
+@@ -13,7 +13,7 @@ $serverCode = <<<'CODE'
+ $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
+ $ctx = stream_context_create(['ssl' => [
+ 'local_cert' => '%s',
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ $server = stream_socket_server('tlsv1.1://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+@@ -30,7 +30,7 @@ $clientCode = <<<'CODE'
+ $ctx = stream_context_create(['ssl' => [
+ 'verify_peer' => false,
+ 'verify_peer_name' => false,
+- 'security_level' => 1,
++ 'security_level' => 0,
+ ]]);
+
+ phpt_wait();
+--
+2.31.1
+
+From fe770720985c5f31a79528528be0aa8e0e56a389 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 4 Aug 2021 09:57:40 +0200
+Subject: [PATCH 04/39] Adjust some tests for whitespace differences in OpenSSL
+ 3
+
+A trailing newline is no longer present in OpenSSL 3.
+
+(cherry picked from commit 0a530d7650c6f9cb7c1b55755c8bf5961052039c)
+---
+ ext/openssl/tests/bug28382.phpt | 17 +++++++----------
+ ext/openssl/tests/cve2013_4073.phpt | 5 ++---
+ ext/openssl/tests/openssl_x509_parse_basic.phpt | 10 ++++------
+ 3 files changed, 13 insertions(+), 19 deletions(-)
+
+diff --git a/ext/openssl/tests/bug28382.phpt b/ext/openssl/tests/bug28382.phpt
+index 3d8cb528ba..00765ba838 100644
+--- a/ext/openssl/tests/bug28382.phpt
++++ b/ext/openssl/tests/bug28382.phpt
+@@ -9,11 +9,10 @@ if (!extension_loaded("openssl")) die("skip");
+ $cert = file_get_contents(__DIR__ . "/bug28382cert.txt");
+ $ext = openssl_x509_parse($cert);
+ var_dump($ext['extensions']);
+-/* openssl 1.0 prepends the string "Full Name:" to the crlDistributionPoints array key.
+- For now, as this is the one difference only between 0.9.x and 1.x, it's handled with
+- placeholders to not to duplicate the test. When more diffs come, a duplication would
+- be probably a better solution.
+-*/
++/*
++ * The reason for %A at the end of crlDistributionPoints and authorityKeyIdentifier is that
++ * OpenSSL 3.0 removes new lines which were present in previous versions.
++ */
+ ?>
+ --EXPECTF--
+ array(11) {
+@@ -24,8 +23,7 @@ array(11) {
+ ["nsCertType"]=>
+ string(30) "SSL Client, SSL Server, S/MIME"
+ ["crlDistributionPoints"]=>
+- string(%d) "%AURI:http://mobile.blue-software.ro:90/ca/crl.shtml
+-"
++ string(%d) "%AURI:http://mobile.blue-software.ro:90/ca/crl.shtml%A"
+ ["nsCaPolicyUrl"]=>
+ string(38) "http://mobile.blue-software.ro:90/pub/"
+ ["subjectAltName"]=>
+@@ -33,9 +31,8 @@ array(11) {
+ ["subjectKeyIdentifier"]=>
+ string(59) "B0:A7:FF:F9:41:15:DE:23:39:BD:DD:31:0F:97:A0:B2:A2:74:E0:FC"
+ ["authorityKeyIdentifier"]=>
+- string(115) "DirName:/C=RO/ST=Romania/L=Craiova/O=Sergiu/OU=Sergiu SRL/CN=Sergiu CA/emailAddress=n_sergiu@hotmail.com
+-serial:00
+-"
++ string(%d) "DirName:/C=RO/ST=Romania/L=Craiova/O=Sergiu/OU=Sergiu SRL/CN=Sergiu CA/emailAddress=n_sergiu@hotmail.com
++serial:00%A"
+ ["keyUsage"]=>
+ string(71) "Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment"
+ ["nsBaseUrl"]=>
+diff --git a/ext/openssl/tests/cve2013_4073.phpt b/ext/openssl/tests/cve2013_4073.phpt
+index c88021b0ae..5cd05ab040 100644
+--- a/ext/openssl/tests/cve2013_4073.phpt
++++ b/ext/openssl/tests/cve2013_4073.phpt
+@@ -9,11 +9,10 @@ $info = openssl_x509_parse($cert);
+ var_export($info['extensions']);
+
+ ?>
+---EXPECT--
++--EXPECTF--
+ array (
+ 'basicConstraints' => 'CA:FALSE',
+ 'subjectKeyIdentifier' => '88:5A:55:C0:52:FF:61:CD:52:A3:35:0F:EA:5A:9C:24:38:22:F7:5C',
+ 'keyUsage' => 'Digital Signature, Non Repudiation, Key Encipherment',
+- 'subjectAltName' => 'DNS:altnull.python.org' . "\0" . 'example.com, email:null@python.org' . "\0" . 'user@example.org, URI:http://null.python.org' . "\0" . 'http://example.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1
+-',
++ 'subjectAltName' => 'DNS:altnull.python.org' . "\0" . 'example.com, email:null@python.org' . "\0" . 'user@example.org, URI:http://null.python.org' . "\0" . 'http://example.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1%A',
+ )
+diff --git a/ext/openssl/tests/openssl_x509_parse_basic.phpt b/ext/openssl/tests/openssl_x509_parse_basic.phpt
+index b80c1f71f1..38915157f3 100644
+--- a/ext/openssl/tests/openssl_x509_parse_basic.phpt
++++ b/ext/openssl/tests/openssl_x509_parse_basic.phpt
+@@ -153,10 +153,9 @@ array(16) {
+ ["subjectKeyIdentifier"]=>
+ string(59) "DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D"
+ ["authorityKeyIdentifier"]=>
+- string(202) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D
++ string(%d) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D
+ DirName:/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N. Angelo/emailAddress=hnangelo@php.net
+-serial:AE:C5:56:CC:72:37:50:A2
+-"
++serial:AE:C5:56:CC:72:37:50:A2%A"
+ ["basicConstraints"]=>
+ string(7) "CA:TRUE"
+ }
+@@ -301,10 +300,9 @@ array(16) {
+ ["subjectKeyIdentifier"]=>
+ string(59) "DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D"
+ ["authorityKeyIdentifier"]=>
+- string(202) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D
++ string(%d) "keyid:DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D
+ DirName:/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N. Angelo/emailAddress=hnangelo@php.net
+-serial:AE:C5:56:CC:72:37:50:A2
+-"
++serial:AE:C5:56:CC:72:37:50:A2%A"
+ ["basicConstraints"]=>
+ string(7) "CA:TRUE"
+ }
+--
+2.31.1
+
+From 676a47080bed2730b892e4ea43b93deb4acea335 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 4 Aug 2021 11:55:47 +0200
+Subject: [PATCH 05/39] Use different cipher in openssl_seal() test
+
+RC4 is insecure and not supported in newer versions.
+
+(cherry picked from commit 046b36bcf8c062375c9f5e2a763d6144c2a484b4)
+---
+ ext/openssl/tests/openssl_seal_basic.phpt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/openssl/tests/openssl_seal_basic.phpt b/ext/openssl/tests/openssl_seal_basic.phpt
+index 16efb05a66..e23045c992 100644
+--- a/ext/openssl/tests/openssl_seal_basic.phpt
++++ b/ext/openssl/tests/openssl_seal_basic.phpt
+@@ -9,7 +9,7 @@ $a = 1;
+ $b = array(1);
+ $c = array(1);
+ $d = array(1);
+-$method = "RC4";
++$method = "AES-128-ECB";
+
+ var_dump(openssl_seal($a, $b, $c, $d, $method));
+
+@@ -41,8 +41,8 @@ var_dump(openssl_seal($data, $sealed, $ekeys, array($wrong), $method));
+ Warning: openssl_seal(): Not a public key (1th member of pubkeys) in %s on line %d
+ bool(false)
+ openssl_seal(): Argument #4 ($public_key) cannot be empty
+-int(19)
+-int(19)
++int(32)
++int(32)
+
+ Warning: openssl_seal(): Not a public key (2th member of pubkeys) in %s on line %d
+ bool(false)
+--
+2.31.1
+
+From 389b4605281975d4ecac92cb3751d18d2e3fd60a Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 4 Aug 2021 11:58:46 +0200
+Subject: [PATCH 06/39] Don't test legacy algorithms in SPKI tests
+
+MD4 and RMD160 may not be available on newer OpenSSL versions.
+
+(cherry picked from commit 9695936341c49ea0efec5bdf24acbcdf59e2a7f8)
+---
+ ext/openssl/tests/openssl_spki_export_basic.phpt | 4 ----
+ .../tests/openssl_spki_export_challenge_basic.phpt | 14 --------------
+ ext/openssl/tests/openssl_spki_new_basic.phpt | 8 --------
+ ext/openssl/tests/openssl_spki_verify_basic.phpt | 7 -------
+ 4 files changed, 33 deletions(-)
+
+diff --git a/ext/openssl/tests/openssl_spki_export_basic.phpt b/ext/openssl/tests/openssl_spki_export_basic.phpt
+index 4085d2d5d8..c03954390b 100644
+--- a/ext/openssl/tests/openssl_spki_export_basic.phpt
++++ b/ext/openssl/tests/openssl_spki_export_basic.phpt
+@@ -19,14 +19,12 @@ foreach ($key_sizes as $key_size) {
+
+ /* array of available hashings to test */
+ $algo = array(
+- OPENSSL_ALGO_MD4,
+ OPENSSL_ALGO_MD5,
+ OPENSSL_ALGO_SHA1,
+ OPENSSL_ALGO_SHA224,
+ OPENSSL_ALGO_SHA256,
+ OPENSSL_ALGO_SHA384,
+ OPENSSL_ALGO_SHA512,
+- OPENSSL_ALGO_RMD160
+ );
+
+ /* loop over key sizes for test */
+@@ -56,5 +54,3 @@ function _uuid() {
+ \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
+ \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
+ \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
+-\-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
+-\-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-.*\-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
+diff --git a/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt b/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt
+index f44e60ec62..06308bf10c 100644
+--- a/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt
++++ b/ext/openssl/tests/openssl_spki_export_challenge_basic.phpt
+@@ -21,14 +21,12 @@ foreach ($key_sizes as $key_size) {
+
+ /* array of available hashings to test */
+ $algo = array(
+- OPENSSL_ALGO_MD4,
+ OPENSSL_ALGO_MD5,
+ OPENSSL_ALGO_SHA1,
+ OPENSSL_ALGO_SHA224,
+ OPENSSL_ALGO_SHA256,
+ OPENSSL_ALGO_SHA384,
+ OPENSSL_ALGO_SHA512,
+- OPENSSL_ALGO_RMD160
+ );
+
+ /* loop over key sizes for test */
+@@ -89,15 +87,3 @@ string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\"
+ bool\(false\)
+ string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\"
+ bool\(false\)
+-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\"
+-bool\(false\)
+-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\"
+-bool\(false\)
+-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\"
+-bool\(false\)
+-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\"
+-bool\(false\)
+-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\"
+-bool\(false\)
+-string\(36\) \"[0-9a-f]{8}\-([0-9a-f]{4}\-){3}[0-9a-f]{12}\"
+-bool\(false\)
+diff --git a/ext/openssl/tests/openssl_spki_new_basic.phpt b/ext/openssl/tests/openssl_spki_new_basic.phpt
+index cb54747fe0..8378bd1ac6 100644
+--- a/ext/openssl/tests/openssl_spki_new_basic.phpt
++++ b/ext/openssl/tests/openssl_spki_new_basic.phpt
+@@ -18,14 +18,12 @@ foreach ($key_sizes as $key_size) {
+
+ /* array of available hashings to test */
+ $algo = array(
+- OPENSSL_ALGO_MD4,
+ OPENSSL_ALGO_MD5,
+ OPENSSL_ALGO_SHA1,
+ OPENSSL_ALGO_SHA224,
+ OPENSSL_ALGO_SHA256,
+ OPENSSL_ALGO_SHA384,
+ OPENSSL_ALGO_SHA512,
+- OPENSSL_ALGO_RMD160
+ );
+
+ /* loop over key sizes for test */
+@@ -53,21 +51,15 @@ string(478) "%s"
+ string(478) "%s"
+ string(478) "%s"
+ string(478) "%s"
+-string(478) "%s"
+-string(474) "%s"
+-string(830) "%s"
+ string(830) "%s"
+ string(830) "%s"
+ string(830) "%s"
+ string(830) "%s"
+ string(830) "%s"
+ string(830) "%s"
+-string(826) "%s"
+-string(1510) "%s"
+ string(1510) "%s"
+ string(1510) "%s"
+ string(1510) "%s"
+ string(1510) "%s"
+ string(1510) "%s"
+ string(1510) "%s"
+-string(1506) "%s"
+diff --git a/ext/openssl/tests/openssl_spki_verify_basic.phpt b/ext/openssl/tests/openssl_spki_verify_basic.phpt
+index c760d0cb83..35badcda37 100644
+--- a/ext/openssl/tests/openssl_spki_verify_basic.phpt
++++ b/ext/openssl/tests/openssl_spki_verify_basic.phpt
+@@ -25,7 +25,6 @@ $algo = array(
+ OPENSSL_ALGO_SHA256,
+ OPENSSL_ALGO_SHA384,
+ OPENSSL_ALGO_SHA512,
+- OPENSSL_ALGO_RMD160
+ );
+
+ /* loop over key sizes for test */
+@@ -80,9 +79,3 @@ bool(true)
+ bool(false)
+ bool(true)
+ bool(false)
+-bool(true)
+-bool(false)
+-bool(true)
+-bool(false)
+-bool(true)
+-bool(false)
+--
+2.31.1
+
+From 054aeebb623e6d4a055a4bab60a864f8c7f65675 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 4 Aug 2021 12:48:02 +0200
+Subject: [PATCH 07/39] Only report provided ciphers in
+ openssl_get_cipher_methods()
+
+With OpenSSL 3 ciphers may be registered, but not provided. Make
+sure that openssl_get_cipher_methods() only returns provided
+ciphers, so that "in_array openssl_get_cipher_methods" style
+checks continue working as expected.
+
+(cherry picked from commit a80ae97d3176aded77ee422772608a026380fc1a)
+---
+ ext/openssl/openssl.c | 34 +++++++++++++++++++++++++++++++++-
+ ext/openssl/php_openssl.h | 4 +++-
+ 2 files changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 015cd89aa6..4ffa2185fb 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -6798,6 +6798,31 @@ PHP_FUNCTION(openssl_get_md_methods)
+ }
+ /* }}} */
+
++#if PHP_OPENSSL_API_VERSION >= 0x30000
++static void php_openssl_add_cipher_name(const char *name, void *arg)
++{
++ size_t len = strlen(name);
++ zend_string *str = zend_string_alloc(len, 0);
++ zend_str_tolower_copy(ZSTR_VAL(str), name, len);
++ add_next_index_str((zval*)arg, str);
++}
++
++static void php_openssl_add_cipher_or_alias(EVP_CIPHER *cipher, void *arg)
++{
++ EVP_CIPHER_names_do_all(cipher, php_openssl_add_cipher_name, arg);
++}
++
++static void php_openssl_add_cipher(EVP_CIPHER *cipher, void *arg)
++{
++ php_openssl_add_cipher_name(EVP_CIPHER_get0_name(cipher), arg);
++}
++
++static int php_openssl_compare_func(Bucket *a, Bucket *b)
++{
++ return string_compare_function(&a->val, &b->val);
++}
++#endif
++
+ /* {{{ Return array of available cipher algorithms */
+ PHP_FUNCTION(openssl_get_cipher_methods)
+ {
+@@ -6807,9 +6832,16 @@ PHP_FUNCTION(openssl_get_cipher_methods)
+ RETURN_THROWS();
+ }
+ array_init(return_value);
++#if PHP_OPENSSL_API_VERSION >= 0x30000
++ EVP_CIPHER_do_all_provided(NULL,
++ aliases ? php_openssl_add_cipher_or_alias : php_openssl_add_cipher,
++ return_value);
++ zend_hash_sort(Z_ARRVAL_P(return_value), php_openssl_compare_func, 1);
++#else
+ OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
+- aliases ? php_openssl_add_method_or_alias: php_openssl_add_method,
++ aliases ? php_openssl_add_method_or_alias : php_openssl_add_method,
+ return_value);
++#endif
+ }
+ /* }}} */
+
+diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h
+index c674ead34b..16bad9e6b0 100644
+--- a/ext/openssl/php_openssl.h
++++ b/ext/openssl/php_openssl.h
+@@ -39,8 +39,10 @@ extern zend_module_entry openssl_module_entry;
+ #define PHP_OPENSSL_API_VERSION 0x10001
+ #elif OPENSSL_VERSION_NUMBER < 0x10100000L
+ #define PHP_OPENSSL_API_VERSION 0x10002
+-#else
++#elif OPENSSL_VERSION_NUMBER < 0x30000000L
+ #define PHP_OPENSSL_API_VERSION 0x10100
++#else
++#define PHP_OPENSSL_API_VERSION 0x30000
+ #endif
+ #endif
+
+--
+2.31.1
+
+From 62fbe1839d980583156b0d22c49753c4666e73e8 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 4 Aug 2021 12:05:02 +0200
+Subject: [PATCH 08/39] Avoid RC4 use in another test
+
+(cherry picked from commit 503146aa87e48f075f47a093ed7868e323814a66)
+---
+ ext/openssl/tests/openssl_open_basic.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/openssl/tests/openssl_open_basic.phpt b/ext/openssl/tests/openssl_open_basic.phpt
+index 5e551c507f..271a878cdf 100644
+--- a/ext/openssl/tests/openssl_open_basic.phpt
++++ b/ext/openssl/tests/openssl_open_basic.phpt
+@@ -8,7 +8,7 @@ $data = "openssl_open() test";
+ $pub_key = "file://" . __DIR__ . "/public.key";
+ $priv_key = "file://" . __DIR__ . "/private_rsa_1024.key";
+ $wrong = "wrong";
+-$method = "RC4";
++$method = "AES-128-ECB";
+
+ openssl_seal($data, $sealed, $ekeys, array($pub_key, $pub_key, $pub_key), $method);
+ openssl_open($sealed, $output, $ekeys[0], $priv_key, $method);
+--
+2.31.1
+
+From 95e6b2c67de6a63d059b678d14f291487f563163 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 4 Aug 2021 15:47:14 +0200
+Subject: [PATCH 09/39] Use EVP_PKEY API for
+ openssl_public_encrypt/private_decrypt
+
+Use the high level API instead of the deprecated low level API.
+
+(cherry picked from commit 0233afae2762a7e7be49935ebbb981783c471d13)
+---
+ ext/openssl/openssl.c | 117 +++++++-----------
+ .../tests/openssl_error_string_basic.phpt | 2 +-
+ 2 files changed, 45 insertions(+), 74 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 4ffa2185fb..64840da451 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -6230,11 +6230,6 @@ PHP_FUNCTION(openssl_private_encrypt)
+ PHP_FUNCTION(openssl_private_decrypt)
+ {
+ zval *key, *crypted;
+- EVP_PKEY *pkey;
+- int cryptedlen;
+- zend_string *cryptedbuf = NULL;
+- unsigned char *crypttemp;
+- int successful = 0;
+ zend_long padding = RSA_PKCS1_PADDING;
+ char * data;
+ size_t data_len;
+@@ -6243,11 +6238,7 @@ PHP_FUNCTION(openssl_private_decrypt)
+ RETURN_THROWS();
+ }
+
+- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1);
+-
+- RETVAL_FALSE;
+-
+- pkey = php_openssl_pkey_from_zval(key, 0, "", 0);
++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 0, "", 0);
+ if (pkey == NULL) {
+ if (!EG(exception)) {
+ php_error_docref(NULL, E_WARNING, "key parameter is not a valid private key");
+@@ -6255,42 +6246,33 @@ PHP_FUNCTION(openssl_private_decrypt)
+ RETURN_FALSE;
+ }
+
+- cryptedlen = EVP_PKEY_size(pkey);
+- crypttemp = emalloc(cryptedlen + 1);
+-
+- switch (EVP_PKEY_id(pkey)) {
+- case EVP_PKEY_RSA:
+- case EVP_PKEY_RSA2:
+- cryptedlen = RSA_private_decrypt((int)data_len,
+- (unsigned char *)data,
+- crypttemp,
+- EVP_PKEY_get0_RSA(pkey),
+- (int)padding);
+- if (cryptedlen != -1) {
+- cryptedbuf = zend_string_alloc(cryptedlen, 0);
+- memcpy(ZSTR_VAL(cryptedbuf), crypttemp, cryptedlen);
+- successful = 1;
+- }
+- break;
+- default:
+- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!");
++ size_t out_len = 0;
++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
++ if (!ctx || EVP_PKEY_decrypt_init(ctx) <= 0 ||
++ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 ||
++ EVP_PKEY_decrypt(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) {
++ php_openssl_store_errors();
++ RETVAL_FALSE;
++ goto cleanup;
+ }
+
+- efree(crypttemp);
+-
+- if (successful) {
+- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0';
+- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf);
+- cryptedbuf = NULL;
+- RETVAL_TRUE;
+- } else {
++ zend_string *out = zend_string_alloc(out_len, 0);
++ if (EVP_PKEY_decrypt(ctx, (unsigned char *) ZSTR_VAL(out), &out_len,
++ (unsigned char *) data, data_len) <= 0) {
++ zend_string_release(out);
+ php_openssl_store_errors();
++ RETVAL_FALSE;
++ goto cleanup;
+ }
+
++ out = zend_string_truncate(out, out_len, 0);
++ ZSTR_VAL(out)[out_len] = '\0';
++ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out);
++ RETVAL_TRUE;
++
++cleanup:
++ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
+- if (cryptedbuf) {
+- zend_string_release_ex(cryptedbuf, 0);
+- }
+ }
+ /* }}} */
+
+@@ -6298,10 +6280,6 @@ PHP_FUNCTION(openssl_private_decrypt)
+ PHP_FUNCTION(openssl_public_encrypt)
+ {
+ zval *key, *crypted;
+- EVP_PKEY *pkey;
+- int cryptedlen;
+- zend_string *cryptedbuf;
+- int successful = 0;
+ zend_long padding = RSA_PKCS1_PADDING;
+ char * data;
+ size_t data_len;
+@@ -6310,11 +6288,7 @@ PHP_FUNCTION(openssl_public_encrypt)
+ RETURN_THROWS();
+ }
+
+- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1);
+-
+- RETVAL_FALSE;
+-
+- pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0);
++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0);
+ if (pkey == NULL) {
+ if (!EG(exception)) {
+ php_error_docref(NULL, E_WARNING, "key parameter is not a valid public key");
+@@ -6322,35 +6296,32 @@ PHP_FUNCTION(openssl_public_encrypt)
+ RETURN_FALSE;
+ }
+
+- cryptedlen = EVP_PKEY_size(pkey);
+- cryptedbuf = zend_string_alloc(cryptedlen, 0);
+-
+- switch (EVP_PKEY_id(pkey)) {
+- case EVP_PKEY_RSA:
+- case EVP_PKEY_RSA2:
+- successful = (RSA_public_encrypt((int)data_len,
+- (unsigned char *)data,
+- (unsigned char *)ZSTR_VAL(cryptedbuf),
+- EVP_PKEY_get0_RSA(pkey),
+- (int)padding) == cryptedlen);
+- break;
+- default:
+- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!");
+-
++ size_t out_len = 0;
++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
++ if (!ctx || EVP_PKEY_encrypt_init(ctx) <= 0 ||
++ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 ||
++ EVP_PKEY_encrypt(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) {
++ php_openssl_store_errors();
++ RETVAL_FALSE;
++ goto cleanup;
+ }
+
+- if (successful) {
+- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0';
+- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf);
+- cryptedbuf = NULL;
+- RETVAL_TRUE;
+- } else {
++ zend_string *out = zend_string_alloc(out_len, 0);
++ if (EVP_PKEY_encrypt(ctx, (unsigned char *) ZSTR_VAL(out), &out_len,
++ (unsigned char *) data, data_len) <= 0) {
++ zend_string_release(out);
+ php_openssl_store_errors();
++ RETVAL_FALSE;
++ goto cleanup;
+ }
++
++ ZSTR_VAL(out)[out_len] = '\0';
++ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out);
++ RETVAL_TRUE;
++
++cleanup:
++ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
+- if (cryptedbuf) {
+- zend_string_release_ex(cryptedbuf, 0);
+- }
+ }
+ /* }}} */
+
+diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt
+index b55b7ced44..eb76dfbf77 100644
+--- a/ext/openssl/tests/openssl_error_string_basic.phpt
++++ b/ext/openssl/tests/openssl_error_string_basic.phpt
+@@ -119,7 +119,7 @@ expect_openssl_errors('openssl_private_decrypt', ['04065072']);
+ // public encrypt and decrypt with failed padding check and padding
+ @openssl_public_encrypt("data", $crypted, $public_key_file, 1000);
+ @openssl_public_decrypt("data", $crypted, $public_key_file);
+-expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '04068076', '04067072']);
++expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '0408F090', '04067072']);
+
+ // X509
+ echo "X509 errors\n";
+--
+2.31.1
+
+From b29b719e4741cde6d1e441e0340f038976cb461b Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 4 Aug 2021 16:56:32 +0200
+Subject: [PATCH 10/39] Use EVP_PKEY APIs for
+ openssl_private_encrypt/public_decrypt
+
+Use high level APIs instead of deprecated low level APIs.
+
+(cherry picked from commit 384ad6e22412756d7a2fa7a4c35579f041784e59)
+---
+ ext/openssl/openssl.c | 119 +++++++-----------
+ .../tests/openssl_error_string_basic.phpt | 2 +-
+ 2 files changed, 45 insertions(+), 76 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 64840da451..4e9b949b5f 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -6170,10 +6170,6 @@ clean_exit:
+ PHP_FUNCTION(openssl_private_encrypt)
+ {
+ zval *key, *crypted;
+- EVP_PKEY *pkey;
+- int cryptedlen;
+- zend_string *cryptedbuf = NULL;
+- int successful = 0;
+ char * data;
+ size_t data_len;
+ zend_long padding = RSA_PKCS1_PADDING;
+@@ -6182,12 +6178,7 @@ PHP_FUNCTION(openssl_private_encrypt)
+ RETURN_THROWS();
+ }
+
+- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1);
+-
+- RETVAL_FALSE;
+-
+- pkey = php_openssl_pkey_from_zval(key, 0, "", 0);
+-
++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 0, "", 0);
+ if (pkey == NULL) {
+ if (!EG(exception)) {
+ php_error_docref(NULL, E_WARNING, "key param is not a valid private key");
+@@ -6195,33 +6186,31 @@ PHP_FUNCTION(openssl_private_encrypt)
+ RETURN_FALSE;
+ }
+
+- cryptedlen = EVP_PKEY_size(pkey);
+- cryptedbuf = zend_string_alloc(cryptedlen, 0);
+-
+- switch (EVP_PKEY_id(pkey)) {
+- case EVP_PKEY_RSA:
+- case EVP_PKEY_RSA2:
+- successful = (RSA_private_encrypt((int)data_len,
+- (unsigned char *)data,
+- (unsigned char *)ZSTR_VAL(cryptedbuf),
+- EVP_PKEY_get0_RSA(pkey),
+- (int)padding) == cryptedlen);
+- break;
+- default:
+- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!");
++ size_t out_len = 0;
++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
++ if (!ctx || EVP_PKEY_sign_init(ctx) <= 0 ||
++ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 ||
++ EVP_PKEY_sign(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) {
++ php_openssl_store_errors();
++ RETVAL_FALSE;
++ goto cleanup;
+ }
+
+- if (successful) {
+- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0';
+- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf);
+- cryptedbuf = NULL;
+- RETVAL_TRUE;
+- } else {
++ zend_string *out = zend_string_alloc(out_len, 0);
++ if (EVP_PKEY_sign(ctx, (unsigned char *) ZSTR_VAL(out), &out_len,
++ (unsigned char *) data, data_len) <= 0) {
++ zend_string_release(out);
+ php_openssl_store_errors();
++ RETVAL_FALSE;
++ goto cleanup;
+ }
+- if (cryptedbuf) {
+- zend_string_release_ex(cryptedbuf, 0);
+- }
++
++ ZSTR_VAL(out)[out_len] = '\0';
++ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out);
++ RETVAL_TRUE;
++
++cleanup:
++ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
+ }
+ /* }}} */
+@@ -6329,11 +6318,6 @@ cleanup:
+ PHP_FUNCTION(openssl_public_decrypt)
+ {
+ zval *key, *crypted;
+- EVP_PKEY *pkey;
+- int cryptedlen;
+- zend_string *cryptedbuf = NULL;
+- unsigned char *crypttemp;
+- int successful = 0;
+ zend_long padding = RSA_PKCS1_PADDING;
+ char * data;
+ size_t data_len;
+@@ -6342,11 +6326,7 @@ PHP_FUNCTION(openssl_public_decrypt)
+ RETURN_THROWS();
+ }
+
+- PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data, 1);
+-
+- RETVAL_FALSE;
+-
+- pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0);
++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0);
+ if (pkey == NULL) {
+ if (!EG(exception)) {
+ php_error_docref(NULL, E_WARNING, "key parameter is not a valid public key");
+@@ -6354,43 +6334,32 @@ PHP_FUNCTION(openssl_public_decrypt)
+ RETURN_FALSE;
+ }
+
+- cryptedlen = EVP_PKEY_size(pkey);
+- crypttemp = emalloc(cryptedlen + 1);
+-
+- switch (EVP_PKEY_id(pkey)) {
+- case EVP_PKEY_RSA:
+- case EVP_PKEY_RSA2:
+- cryptedlen = RSA_public_decrypt((int)data_len,
+- (unsigned char *)data,
+- crypttemp,
+- EVP_PKEY_get0_RSA(pkey),
+- (int)padding);
+- if (cryptedlen != -1) {
+- cryptedbuf = zend_string_alloc(cryptedlen, 0);
+- memcpy(ZSTR_VAL(cryptedbuf), crypttemp, cryptedlen);
+- successful = 1;
+- }
+- break;
+-
+- default:
+- php_error_docref(NULL, E_WARNING, "key type not supported in this PHP build!");
+-
++ size_t out_len = 0;
++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
++ if (!ctx || EVP_PKEY_verify_recover_init(ctx) <= 0 ||
++ EVP_PKEY_CTX_set_rsa_padding(ctx, padding) <= 0 ||
++ EVP_PKEY_verify_recover(ctx, NULL, &out_len, (unsigned char *) data, data_len) <= 0) {
++ php_openssl_store_errors();
++ RETVAL_FALSE;
++ goto cleanup;
+ }
+
+- efree(crypttemp);
+-
+- if (successful) {
+- ZSTR_VAL(cryptedbuf)[cryptedlen] = '\0';
+- ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, cryptedbuf);
+- cryptedbuf = NULL;
+- RETVAL_TRUE;
+- } else {
++ zend_string *out = zend_string_alloc(out_len, 0);
++ if (EVP_PKEY_verify_recover(ctx, (unsigned char *) ZSTR_VAL(out), &out_len,
++ (unsigned char *) data, data_len) <= 0) {
++ zend_string_release(out);
+ php_openssl_store_errors();
++ RETVAL_FALSE;
++ goto cleanup;
+ }
+
+- if (cryptedbuf) {
+- zend_string_release_ex(cryptedbuf, 0);
+- }
++ out = zend_string_truncate(out, out_len, 0);
++ ZSTR_VAL(out)[out_len] = '\0';
++ ZEND_TRY_ASSIGN_REF_NEW_STR(crypted, out);
++ RETVAL_TRUE;
++
++cleanup:
++ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
+ }
+ /* }}} */
+diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt
+index eb76dfbf77..f3eb82067b 100644
+--- a/ext/openssl/tests/openssl_error_string_basic.phpt
++++ b/ext/openssl/tests/openssl_error_string_basic.phpt
+@@ -112,7 +112,7 @@ expect_openssl_errors('openssl_pkey_export', ['06065064', '0906A065']);
+ expect_openssl_errors('openssl_pkey_get_public', [$err_pem_no_start_line]);
+ // private encrypt with unknown padding
+ @openssl_private_encrypt("data", $crypted, $private_key_file, 1000);
+-expect_openssl_errors('openssl_private_encrypt', ['04066076']);
++expect_openssl_errors('openssl_private_encrypt', ['0408F090']);
+ // private decrypt with failed padding check
+ @openssl_private_decrypt("data", $crypted, $private_key_file);
+ expect_openssl_errors('openssl_private_decrypt', ['04065072']);
+--
+2.31.1
+
+From bfdbdfb6bf128c157adfba402b89b0f82be993ab Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 5 Aug 2021 10:29:50 +0200
+Subject: [PATCH 11/39] Use EVP_PKEY APIs for key generation
+
+Use high level API instead of deprecated low level API.
+
+(cherry picked from commit 13313d9b1b9fa014fe6f92c496477e28f4f11772)
+---
+ ext/openssl/openssl.c | 210 +++++++++++++++-----------------
+ ext/openssl/tests/bug80747.phpt | 4 +-
+ 2 files changed, 101 insertions(+), 113 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 4e9b949b5f..d260670ff9 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -3656,140 +3656,130 @@ static EVP_PKEY *php_openssl_pkey_from_zval(zval *val, int public_key, char *pas
+ return key;
+ }
+
++static int php_openssl_get_evp_pkey_type(int key_type) {
++ switch (key_type) {
++ case OPENSSL_KEYTYPE_RSA:
++ return EVP_PKEY_RSA;
++#if !defined(NO_DSA)
++ case OPENSSL_KEYTYPE_DSA:
++ return EVP_PKEY_DSA;
++#endif
++#if !defined(NO_DH)
++ case OPENSSL_KEYTYPE_DH:
++ return EVP_PKEY_DH;
++#endif
++#ifdef HAVE_EVP_PKEY_EC
++ case OPENSSL_KEYTYPE_EC:
++ return EVP_PKEY_EC;
++#endif
++ default:
++ return -1;
++ }
++}
++
+ /* {{{ php_openssl_generate_private_key */
+ static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req)
+ {
+- char * randfile = NULL;
+- int egdsocket, seeded;
+- EVP_PKEY * return_val = NULL;
+-
+ if (req->priv_key_bits < MIN_KEY_LENGTH) {
+ php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d",
+ MIN_KEY_LENGTH, req->priv_key_bits);
+ return NULL;
+ }
+
+- randfile = php_openssl_conf_get_string(req->req_config, req->section_name, "RANDFILE");
++ int type = php_openssl_get_evp_pkey_type(req->priv_key_type);
++ if (type < 0) {
++ php_error_docref(NULL, E_WARNING, "Unsupported private key type");
++ return NULL;
++ }
++
++ int egdsocket, seeded;
++ char *randfile = php_openssl_conf_get_string(req->req_config, req->section_name, "RANDFILE");
+ php_openssl_load_rand_file(randfile, &egdsocket, &seeded);
++ PHP_OPENSSL_RAND_ADD_TIME();
+
+- if ((req->priv_key = EVP_PKEY_new()) != NULL) {
+- switch(req->priv_key_type) {
+- case OPENSSL_KEYTYPE_RSA:
+- {
+- RSA* rsaparam;
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L
+- /* OpenSSL 1.0.2 deprecates RSA_generate_key */
+- PHP_OPENSSL_RAND_ADD_TIME();
+- rsaparam = (RSA*)RSA_generate_key(req->priv_key_bits, RSA_F4, NULL, NULL);
+-#else
+- {
+- BIGNUM *bne = (BIGNUM *)BN_new();
+- if (BN_set_word(bne, RSA_F4) != 1) {
+- BN_free(bne);
+- php_error_docref(NULL, E_WARNING, "Failed setting exponent");
+- return NULL;
+- }
+- rsaparam = RSA_new();
+- PHP_OPENSSL_RAND_ADD_TIME();
+- if (rsaparam == NULL || !RSA_generate_key_ex(rsaparam, req->priv_key_bits, bne, NULL)) {
+- php_openssl_store_errors();
+- RSA_free(rsaparam);
+- rsaparam = NULL;
+- }
+- BN_free(bne);
+- }
+-#endif
+- if (rsaparam && EVP_PKEY_assign_RSA(req->priv_key, rsaparam)) {
+- return_val = req->priv_key;
+- } else {
+- php_openssl_store_errors();
+- }
+- }
+- break;
++ EVP_PKEY *key = NULL;
++ EVP_PKEY *params = NULL;
++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(type, NULL);
++ if (!ctx) {
++ php_openssl_store_errors();
++ goto cleanup;
++ }
++
++ if (type != EVP_PKEY_RSA) {
++ if (EVP_PKEY_paramgen_init(ctx) <= 0) {
++ php_openssl_store_errors();
++ goto cleanup;
++ }
++
++ switch (type) {
+ #if !defined(NO_DSA)
+- case OPENSSL_KEYTYPE_DSA:
+- PHP_OPENSSL_RAND_ADD_TIME();
+- {
+- DSA *dsaparam = DSA_new();
+- if (dsaparam && DSA_generate_parameters_ex(dsaparam, req->priv_key_bits, NULL, 0, NULL, NULL, NULL)) {
+- DSA_set_method(dsaparam, DSA_get_default_method());
+- if (DSA_generate_key(dsaparam)) {
+- if (EVP_PKEY_assign_DSA(req->priv_key, dsaparam)) {
+- return_val = req->priv_key;
+- } else {
+- php_openssl_store_errors();
+- }
+- } else {
+- php_openssl_store_errors();
+- DSA_free(dsaparam);
+- }
+- } else {
+- php_openssl_store_errors();
+- }
+- }
+- break;
++ case EVP_PKEY_DSA:
++ if (EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, req->priv_key_bits) <= 0) {
++ php_openssl_store_errors();
++ goto cleanup;
++ }
++ break;
+ #endif
+ #if !defined(NO_DH)
+- case OPENSSL_KEYTYPE_DH:
+- PHP_OPENSSL_RAND_ADD_TIME();
+- {
+- int codes = 0;
+- DH *dhparam = DH_new();
+- if (dhparam && DH_generate_parameters_ex(dhparam, req->priv_key_bits, 2, NULL)) {
+- DH_set_method(dhparam, DH_get_default_method());
+- if (DH_check(dhparam, &codes) && codes == 0 && DH_generate_key(dhparam)) {
+- if (EVP_PKEY_assign_DH(req->priv_key, dhparam)) {
+- return_val = req->priv_key;
+- } else {
+- php_openssl_store_errors();
+- }
+- } else {
+- php_openssl_store_errors();
+- DH_free(dhparam);
+- }
+- } else {
+- php_openssl_store_errors();
+- }
+- }
+- break;
++ case EVP_PKEY_DH:
++ if (EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, req->priv_key_bits) <= 0) {
++ php_openssl_store_errors();
++ goto cleanup;
++ }
++ break;
+ #endif
+ #ifdef HAVE_EVP_PKEY_EC
+- case OPENSSL_KEYTYPE_EC:
+- {
+- EC_KEY *eckey;
+- if (req->curve_name == NID_undef) {
+- php_error_docref(NULL, E_WARNING, "Missing configuration value: \"curve_name\" not set");
+- return NULL;
+- }
+- eckey = EC_KEY_new_by_curve_name(req->curve_name);
+- if (eckey) {
+- EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
+- if (EC_KEY_generate_key(eckey) &&
+- EVP_PKEY_assign_EC_KEY(req->priv_key, eckey)) {
+- return_val = req->priv_key;
+- } else {
+- EC_KEY_free(eckey);
+- }
+- }
+- }
+- break;
++ case EVP_PKEY_EC:
++ if (req->curve_name == NID_undef) {
++ php_error_docref(NULL, E_WARNING, "Missing configuration value: \"curve_name\" not set");
++ goto cleanup;
++ }
++
++ if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, req->curve_name) <= 0 ||
++ EVP_PKEY_CTX_set_ec_param_enc(ctx, OPENSSL_EC_NAMED_CURVE) <= 0) {
++ php_openssl_store_errors();
++ goto cleanup;
++ }
++ break;
+ #endif
+- default:
+- php_error_docref(NULL, E_WARNING, "Unsupported private key type");
++ EMPTY_SWITCH_DEFAULT_CASE()
+ }
+- } else {
++
++ if (EVP_PKEY_paramgen(ctx, ¶ms) <= 0) {
++ php_openssl_store_errors();
++ goto cleanup;
++ }
++
++ EVP_PKEY_CTX_free(ctx);
++ ctx = EVP_PKEY_CTX_new(params, NULL);
++ if (!ctx) {
++ php_openssl_store_errors();
++ goto cleanup;
++ }
++ }
++
++ if (EVP_PKEY_keygen_init(ctx) <= 0) {
+ php_openssl_store_errors();
++ goto cleanup;
+ }
+
+- php_openssl_write_rand_file(randfile, egdsocket, seeded);
++ if (type == EVP_PKEY_RSA && EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, req->priv_key_bits) <= 0) {
++ php_openssl_store_errors();
++ goto cleanup;
++ }
+
+- if (return_val == NULL) {
+- EVP_PKEY_free(req->priv_key);
+- req->priv_key = NULL;
+- return NULL;
++ if (EVP_PKEY_keygen(ctx, &key) <= 0) {
++ php_openssl_store_errors();
++ goto cleanup;
+ }
+
+- return return_val;
++ req->priv_key = key;
++
++cleanup:
++ php_openssl_write_rand_file(randfile, egdsocket, seeded);
++ EVP_PKEY_free(params);
++ EVP_PKEY_CTX_free(ctx);
++ return key;
+ }
+ /* }}} */
+
+diff --git a/ext/openssl/tests/bug80747.phpt b/ext/openssl/tests/bug80747.phpt
+index 327c916688..12ae0ff0e1 100644
+--- a/ext/openssl/tests/bug80747.phpt
++++ b/ext/openssl/tests/bug80747.phpt
+@@ -14,9 +14,7 @@ $conf = array(
+ 'private_key_bits' => 511,
+ );
+ var_dump(openssl_pkey_new($conf));
+-while ($e = openssl_error_string()) {
+- echo $e, "\n";
+-}
++echo openssl_error_string(), "\n";
+
+ ?>
+ --EXPECTF--
+--
+2.31.1
+
+From 8dfe551ef85a874df63d0bb50b2d065c3370fd7e Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 5 Aug 2021 11:50:11 +0200
+Subject: [PATCH 12/39] Relax error check
+
+The precise error is version-dependent, just check that there
+is some kind of error reported.
+
+(cherry picked from commit cd8bf0b6bd23e03bdc8d069df53a2d976809a916)
+---
+ ext/openssl/tests/bug80747.phpt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/openssl/tests/bug80747.phpt b/ext/openssl/tests/bug80747.phpt
+index 12ae0ff0e1..3f319b4b24 100644
+--- a/ext/openssl/tests/bug80747.phpt
++++ b/ext/openssl/tests/bug80747.phpt
+@@ -14,9 +14,9 @@ $conf = array(
+ 'private_key_bits' => 511,
+ );
+ var_dump(openssl_pkey_new($conf));
+-echo openssl_error_string(), "\n";
++var_dump(openssl_error_string() !== false);
+
+ ?>
+---EXPECTF--
++--EXPECT--
+ bool(false)
+-error:%s:key size too small
++bool(true)
+--
+2.31.1
+
+From 44859f59f3ff3d7cf24ae146e9b0da348e6befcd Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 5 Aug 2021 12:59:13 +0200
+Subject: [PATCH 13/39] Store whether pkey object contains private key
+
+Rather than querying whether the EVP_PKEY contains private key
+information, determine this at time of construction and store it
+in the PHP object.
+
+OpenSSL doesn't provide an API for this purpose, and seems
+somewhat reluctant to add one, see
+https://github.com/openssl/openssl/issues/9467.
+
+To avoid using deprecated low-level APIs to determine whether
+something is a private key ourselves, remember it at the point
+of construction.
+
+(cherry picked from commit f878bbd96b34ac11fed66c895891570ef10b0dcb)
+---
+ ext/openssl/openssl.c | 155 +++++++++---------------------------------
+ 1 file changed, 31 insertions(+), 124 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index d260670ff9..1fca64df15 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -201,6 +201,7 @@ static void php_openssl_request_free_obj(zend_object *object)
+
+ typedef struct _php_openssl_pkey_object {
+ EVP_PKEY *pkey;
++ bool is_private;
+ zend_object std;
+ } php_openssl_pkey_object;
+
+@@ -224,6 +225,13 @@ static zend_object *php_openssl_pkey_create_object(zend_class_entry *class_type)
+ return &intern->std;
+ }
+
++static void php_openssl_pkey_object_init(zval *zv, EVP_PKEY *pkey, bool is_private) {
++ object_init_ex(zv, php_openssl_pkey_ce);
++ php_openssl_pkey_object *obj = Z_OPENSSL_PKEY_P(zv);
++ obj->pkey = pkey;
++ obj->is_private = is_private;
++}
++
+ static zend_function *php_openssl_pkey_get_constructor(zend_object *object) {
+ zend_throw_error(NULL, "Cannot directly construct OpenSSLAsymmetricKey, use openssl_pkey_new() instead");
+ return NULL;
+@@ -517,7 +525,6 @@ static X509 *php_openssl_x509_from_zval(zval *val, bool *free_cert);
+ static X509_REQ *php_openssl_csr_from_param(zend_object *csr_obj, zend_string *csr_str);
+ static EVP_PKEY *php_openssl_pkey_from_zval(zval *val, int public_key, char *passphrase, size_t passphrase_len);
+
+-static int php_openssl_is_private_key(EVP_PKEY* pkey);
+ static X509_STORE * php_openssl_setup_verify(zval * calist);
+ static STACK_OF(X509) * php_openssl_load_all_certs_from_file(char *certfile);
+ static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req);
+@@ -3362,11 +3369,8 @@ PHP_FUNCTION(openssl_csr_new)
+ if (we_made_the_key) {
+ /* and an object for the private key */
+ zval zkey_object;
+- php_openssl_pkey_object *key_object;
+- object_init_ex(&zkey_object, php_openssl_pkey_ce);
+- key_object = Z_OPENSSL_PKEY_P(&zkey_object);
+- key_object->pkey = req.priv_key;
+-
++ php_openssl_pkey_object_init(
++ &zkey_object, req.priv_key, /* is_private */ true);
+ ZEND_TRY_ASSIGN_REF_TMP(out_pkey, &zkey_object);
+ req.priv_key = NULL; /* make sure the cleanup code doesn't zap it! */
+ }
+@@ -3424,7 +3428,6 @@ PHP_FUNCTION(openssl_csr_get_public_key)
+ zend_string *csr_str;
+ zend_bool use_shortnames = 1;
+
+- php_openssl_pkey_object *key_object;
+ EVP_PKEY *tpubkey;
+
+ ZEND_PARSE_PARAMETERS_START(1, 2)
+@@ -3467,9 +3470,7 @@ PHP_FUNCTION(openssl_csr_get_public_key)
+ RETURN_FALSE;
+ }
+
+- object_init_ex(return_value, php_openssl_pkey_ce);
+- key_object = Z_OPENSSL_PKEY_P(return_value);
+- key_object->pkey = tpubkey;
++ php_openssl_pkey_object_init(return_value, tpubkey, /* is_private */ false);
+ }
+ /* }}} */
+
+@@ -3545,10 +3546,9 @@ static EVP_PKEY *php_openssl_pkey_from_zval(zval *val, int public_key, char *pas
+ }
+
+ if (Z_TYPE_P(val) == IS_OBJECT && Z_OBJCE_P(val) == php_openssl_pkey_ce) {
+- int is_priv;
+-
+- key = php_openssl_pkey_from_obj(Z_OBJ_P(val))->pkey;
+- is_priv = php_openssl_is_private_key(key);
++ php_openssl_pkey_object *obj = php_openssl_pkey_from_obj(Z_OBJ_P(val));
++ key = obj->pkey;
++ bool is_priv = obj->is_private;
+
+ /* check whether it is actually a private key if requested */
+ if (!public_key && !is_priv) {
+@@ -3783,85 +3783,6 @@ cleanup:
+ }
+ /* }}} */
+
+-/* {{{ php_openssl_is_private_key
+- Check whether the supplied key is a private key by checking if the secret prime factors are set */
+-static int php_openssl_is_private_key(EVP_PKEY* pkey)
+-{
+- assert(pkey != NULL);
+-
+- switch (EVP_PKEY_id(pkey)) {
+- case EVP_PKEY_RSA:
+- case EVP_PKEY_RSA2:
+- {
+- RSA *rsa = EVP_PKEY_get0_RSA(pkey);
+- if (rsa != NULL) {
+- const BIGNUM *p, *q;
+-
+- RSA_get0_factors(rsa, &p, &q);
+- if (p == NULL || q == NULL) {
+- return 0;
+- }
+- }
+- }
+- break;
+- case EVP_PKEY_DSA:
+- case EVP_PKEY_DSA1:
+- case EVP_PKEY_DSA2:
+- case EVP_PKEY_DSA3:
+- case EVP_PKEY_DSA4:
+- {
+- DSA *dsa = EVP_PKEY_get0_DSA(pkey);
+- if (dsa != NULL) {
+- const BIGNUM *p, *q, *g, *pub_key, *priv_key;
+-
+- DSA_get0_pqg(dsa, &p, &q, &g);
+- if (p == NULL || q == NULL) {
+- return 0;
+- }
+-
+- DSA_get0_key(dsa, &pub_key, &priv_key);
+- if (priv_key == NULL) {
+- return 0;
+- }
+- }
+- }
+- break;
+- case EVP_PKEY_DH:
+- {
+- DH *dh = EVP_PKEY_get0_DH(pkey);
+- if (dh != NULL) {
+- const BIGNUM *p, *q, *g, *pub_key, *priv_key;
+-
+- DH_get0_pqg(dh, &p, &q, &g);
+- if (p == NULL) {
+- return 0;
+- }
+-
+- DH_get0_key(dh, &pub_key, &priv_key);
+- if (priv_key == NULL) {
+- return 0;
+- }
+- }
+- }
+- break;
+-#ifdef HAVE_EVP_PKEY_EC
+- case EVP_PKEY_EC:
+- {
+- EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
+- if (ec != NULL && NULL == EC_KEY_get0_private_key(ec)) {
+- return 0;
+- }
+- }
+- break;
+-#endif
+- default:
+- php_error_docref(NULL, E_WARNING, "Key type not supported in this PHP build!");
+- break;
+- }
+- return 1;
+-}
+-/* }}} */
+-
+ #define OPENSSL_GET_BN(_array, _bn, _name) do { \
+ if (_bn != NULL) { \
+ int len = BN_num_bytes(_bn); \
+@@ -3920,7 +3841,7 @@ static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa,
+ }
+
+ /* {{{ php_openssl_pkey_init_dsa */
+-static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data)
++static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data, bool *is_private)
+ {
+ BIGNUM *p, *q, *g, *priv_key, *pub_key;
+ const BIGNUM *priv_key_const, *pub_key_const;
+@@ -3934,6 +3855,7 @@ static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data)
+
+ OPENSSL_PKEY_SET_BN(data, pub_key);
+ OPENSSL_PKEY_SET_BN(data, priv_key);
++ *is_private = priv_key != NULL;
+ if (pub_key) {
+ return DSA_set0_key(dsa, pub_key, priv_key);
+ }
+@@ -3998,7 +3920,7 @@ static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM
+ /* }}} */
+
+ /* {{{ php_openssl_pkey_init_dh */
+-static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data)
++static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data, bool *is_private)
+ {
+ BIGNUM *p, *q, *g, *priv_key, *pub_key;
+
+@@ -4011,6 +3933,7 @@ static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data)
+
+ OPENSSL_PKEY_SET_BN(data, priv_key);
+ OPENSSL_PKEY_SET_BN(data, pub_key);
++ *is_private = priv_key != NULL;
+ if (pub_key) {
+ return DH_set0_key(dh, pub_key, priv_key);
+ }
+@@ -4039,7 +3962,6 @@ PHP_FUNCTION(openssl_pkey_new)
+ struct php_x509_request req;
+ zval * args = NULL;
+ zval *data;
+- php_openssl_pkey_object *key_object;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "|a!", &args) == FAILURE) {
+ RETURN_THROWS();
+@@ -4056,9 +3978,7 @@ PHP_FUNCTION(openssl_pkey_new)
+ RSA *rsa = RSA_new();
+ if (rsa) {
+ if (php_openssl_pkey_init_and_assign_rsa(pkey, rsa, data)) {
+- object_init_ex(return_value, php_openssl_pkey_ce);
+- key_object = Z_OPENSSL_PKEY_P(return_value);
+- key_object->pkey = pkey;
++ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true);
+ return;
+ }
+ RSA_free(rsa);
+@@ -4076,11 +3996,10 @@ PHP_FUNCTION(openssl_pkey_new)
+ if (pkey) {
+ DSA *dsa = DSA_new();
+ if (dsa) {
+- if (php_openssl_pkey_init_dsa(dsa, data)) {
++ bool is_private;
++ if (php_openssl_pkey_init_dsa(dsa, data, &is_private)) {
+ if (EVP_PKEY_assign_DSA(pkey, dsa)) {
+- object_init_ex(return_value, php_openssl_pkey_ce);
+- key_object = Z_OPENSSL_PKEY_P(return_value);
+- key_object->pkey = pkey;
++ php_openssl_pkey_object_init(return_value, pkey, is_private);
+ return;
+ } else {
+ php_openssl_store_errors();
+@@ -4101,13 +4020,10 @@ PHP_FUNCTION(openssl_pkey_new)
+ if (pkey) {
+ DH *dh = DH_new();
+ if (dh) {
+- if (php_openssl_pkey_init_dh(dh, data)) {
++ bool is_private;
++ if (php_openssl_pkey_init_dh(dh, data, &is_private)) {
+ if (EVP_PKEY_assign_DH(pkey, dh)) {
+- php_openssl_pkey_object *key_object;
+-
+- object_init_ex(return_value, php_openssl_pkey_ce);
+- key_object = Z_OPENSSL_PKEY_P(return_value);
+- key_object->pkey = pkey;
++ php_openssl_pkey_object_init(return_value, pkey, is_private);
+ return;
+ } else {
+ php_openssl_store_errors();
+@@ -4133,6 +4049,7 @@ PHP_FUNCTION(openssl_pkey_new)
+ if (pkey) {
+ eckey = EC_KEY_new();
+ if (eckey) {
++ bool is_private = false;
+ EC_GROUP *group = NULL;
+ zval *bn;
+ zval *x;
+@@ -4164,6 +4081,7 @@ PHP_FUNCTION(openssl_pkey_new)
+ // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y'
+ if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL &&
+ Z_TYPE_P(bn) == IS_STRING) {
++ is_private = true;
+ d = BN_bin2bn((unsigned char*) Z_STRVAL_P(bn), Z_STRLEN_P(bn), NULL);
+ if (!EC_KEY_set_private_key(eckey, d)) {
+ php_openssl_store_errors();
+@@ -4211,10 +4129,7 @@ PHP_FUNCTION(openssl_pkey_new)
+ }
+ if (EC_KEY_check_key(eckey) && EVP_PKEY_assign_EC_KEY(pkey, eckey)) {
+ EC_GROUP_free(group);
+-
+- object_init_ex(return_value, php_openssl_pkey_ce);
+- key_object = Z_OPENSSL_PKEY_P(return_value);
+- key_object->pkey = pkey;
++ php_openssl_pkey_object_init(return_value, pkey, is_private);
+ return;
+ } else {
+ php_openssl_store_errors();
+@@ -4249,9 +4164,7 @@ clean_exit:
+ if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) {
+ if (php_openssl_generate_private_key(&req)) {
+ /* pass back a key resource */
+- object_init_ex(return_value, php_openssl_pkey_ce);
+- key_object = Z_OPENSSL_PKEY_P(return_value);
+- key_object->pkey = req.priv_key;
++ php_openssl_pkey_object_init(return_value, req.priv_key, /* is_private */ true);
+ /* make sure the cleanup code doesn't zap it! */
+ req.priv_key = NULL;
+ }
+@@ -4424,7 +4337,6 @@ PHP_FUNCTION(openssl_pkey_get_public)
+ {
+ zval *cert;
+ EVP_PKEY *pkey;
+- php_openssl_pkey_object *key_object;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &cert) == FAILURE) {
+ RETURN_THROWS();
+@@ -4434,9 +4346,7 @@ PHP_FUNCTION(openssl_pkey_get_public)
+ RETURN_FALSE;
+ }
+
+- object_init_ex(return_value, php_openssl_pkey_ce);
+- key_object = Z_OPENSSL_PKEY_P(return_value);
+- key_object->pkey = pkey;
++ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ false);
+ }
+ /* }}} */
+
+@@ -4458,7 +4368,6 @@ PHP_FUNCTION(openssl_pkey_get_private)
+ EVP_PKEY *pkey;
+ char * passphrase = "";
+ size_t passphrase_len = sizeof("")-1;
+- php_openssl_pkey_object *key_object;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|s!", &cert, &passphrase, &passphrase_len) == FAILURE) {
+ RETURN_THROWS();
+@@ -4473,9 +4382,7 @@ PHP_FUNCTION(openssl_pkey_get_private)
+ RETURN_FALSE;
+ }
+
+- object_init_ex(return_value, php_openssl_pkey_ce);
+- key_object = Z_OPENSSL_PKEY_P(return_value);
+- key_object->pkey = pkey;
++ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true);
+ }
+
+ /* }}} */
+--
+2.31.1
+
+From c58ef46342a52c8b81ee6f727257a2b471b6d9c3 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 5 Aug 2021 14:59:16 +0200
+Subject: [PATCH 14/39] Add test for openssl_dh_compute_key()
+
+This function was not tested at all :(
+
+(cherry picked from commit 7168f71e00676172e7fcf710adfc07eccd6714e6)
+---
+ ext/openssl/tests/openssl_dh_compute_key.phpt | 29 +++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+ create mode 100644 ext/openssl/tests/openssl_dh_compute_key.phpt
+
+diff --git a/ext/openssl/tests/openssl_dh_compute_key.phpt b/ext/openssl/tests/openssl_dh_compute_key.phpt
+new file mode 100644
+index 0000000000..8730f4b57d
+--- /dev/null
++++ b/ext/openssl/tests/openssl_dh_compute_key.phpt
+@@ -0,0 +1,29 @@
++--TEST--
++openssl_dh_compute_key()
++--FILE--
++<?php
++
++$privateKey = <<<'KEY'
++-----BEGIN PRIVATE KEY-----
++MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBANn6weB11zG7izhfzM4qsITZ
++3q/ORkF6+h3RTn7sh8Ji1MpHt3zHcPfdYFvs7V5SJfNN5Xv9L62RN8GwgxwRWIJr
++8VBHfL3LyZNMMgnGBGJR0qmoM48iNd8i2ggZYj+H8WVh2y6tGw1YsDI3AFHpZFkN
++TvCT1JHl2JfNEgOgSryBO84KDEWLxWaN/4Nqa9x5R0fxKMLjpWNRzEBBKcVeEHIZ
++gzl7VKVJEpYC336sjYJE19ZD0O/gWl+q4WeRpDazDi6LDLZgnoDrUgbNAXtDETKL
++gKOnYq+iwRWCQicQmaQvGXntmgdriExVacrRnH8o09ioxcVdtPG8WuLeqJczCvsC
++AQIEggEEAoIBAH1yv00aZkw/7IIAJL1fZUrpVeO3xKIQDl982HOKS32+o2mUJWbc
++DuDMIOvqiUEltEnFQOqDaJue0ucseJdH5Q9JHlSIhuUQiPB/JfEcPlb2QYzXHuAE
++fWS94X0wiSxYgKXIL0XceA3yg5bYhDSR3DntdJrbboyYHt/QGQ8WCWiYEa402ovI
++x+r7k3BlGxah33HeuqhMCFAfFvWUhLaj85QEmjHTjVMKeeTlNfBS+nscbCcZvLXd
++qanvRxYYGdOhgLTcJe/iUsxmAWVTiqrid8MEvtFrenanawTgnPXAp5WtYTCGcsiQ
++TBG24ND/tnZpPoPz/Rwlpo1IL4IbvKGRsfU=
++-----END PRIVATE KEY-----
++KEY;
++
++$publicKey = hex2bin("29ECC536A85A4AFAD7D63E50545C68CE44A834396886E9A7BAC27E3A08A14C05259BA6E9940FDC512457155A60CAFACD8E43897E1B537A282D39697B75357197B5E3AD7F1826C0216604496AFAEF8999FBCE336C148166AE23E77EC66C0611235110FA8D6180A26425154959FACEC18FEE3EDA68E9355627820C14B44B486C9547ECE62BE72D56A7FAC4747AFCF201D8A4155F63A076234D6BC04DE27E7A7849BF8956E3DB6E51C043CB6FC66889ADE1F8DE756E9194838E8EF8A5CF9C0DD553282DE8A3130CA7752C22C191E5C352AC3BD77EF9270BF37BC807BBDB3F39AE7966B013723E71EAF41082A056D994F64B428183C5BAFEE9C7A41CABCEA868FC34");
++
++echo bin2hex(openssl_dh_compute_key($publicKey, openssl_get_privatekey($privateKey))), "\n";
++
++?>
++--EXPECT--
++b0049944fa5d36f364dd02e675dde50f8c2d67481c5cf0fe2f248d383eec1d38c23d5ed2644fbef2676bcd6ce148361ca82619c8f93e10506cb89d0a1bdaa0f0bc6f68cef0f7cb6d97d43e8dda3c7a5c5a98ebd2342a605ce530fd46a0602d28d4afc48e92088d0bc42194ca8682a85317f812d81b86cd284eed405df2f76aae84ccd560856e8a3d0ce4f591394bca02eb8a1984ebb41bb19714fb8b579bcafd36a9051d51d075f66229893289d8a0c918bfd222f17803cc532d2cf93bb2a567953323ca409beb3237faae9c6fdfc671594324953badd07dd4770ee09fd19f90045654c5709e92aa614b83594c2f62a8bc3c7e786e54bc1259a0a737c70dd4cc
+--
+2.31.1
+
+From fbb478f86081d4d879d1ed644c37842e0d9b1192 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 5 Aug 2021 14:52:56 +0200
+Subject: [PATCH 15/39] Extract php_openssl_pkey_derive() function
+
+To allow sharing it with the openssl_dh_compute_key() implementation.
+
+(cherry picked from commit c6542b2a1e431e7fa980bd97c696c8c48fb58dc3)
+---
+ ext/openssl/openssl.c | 77 +++++++++++++++++++++++--------------------
+ 1 file changed, 41 insertions(+), 36 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 1fca64df15..bf3f70d355 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -4560,6 +4560,34 @@ PHP_FUNCTION(openssl_pkey_get_details)
+ }
+ /* }}} */
+
++static zend_string *php_openssl_pkey_derive(EVP_PKEY *key, EVP_PKEY *peer_key, size_t key_size) {
++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(key, NULL);
++ if (!ctx) {
++ return NULL;
++ }
++
++ if (EVP_PKEY_derive_init(ctx) <= 0 ||
++ EVP_PKEY_derive_set_peer(ctx, peer_key) <= 0 ||
++ (key_size == 0 && EVP_PKEY_derive(ctx, NULL, &key_size) <= 0)) {
++ php_openssl_store_errors();
++ EVP_PKEY_CTX_free(ctx);
++ return NULL;
++ }
++
++ zend_string *result = zend_string_alloc(key_size, 0);
++ if (EVP_PKEY_derive(ctx, (unsigned char *)ZSTR_VAL(result), &key_size) <= 0) {
++ php_openssl_store_errors();
++ zend_string_release_ex(result, 0);
++ EVP_PKEY_CTX_free(ctx);
++ return NULL;
++ }
++
++ ZSTR_LEN(result) = key_size;
++ ZSTR_VAL(result)[key_size] = 0;
++ EVP_PKEY_CTX_free(ctx);
++ return result;
++}
++
+ /* {{{ Computes shared secret for public value of remote DH key and local DH key */
+ PHP_FUNCTION(openssl_dh_compute_key)
+ {
+@@ -4567,7 +4595,6 @@ PHP_FUNCTION(openssl_dh_compute_key)
+ char *pub_str;
+ size_t pub_len;
+ DH *dh;
+- EVP_PKEY *pkey;
+ BIGNUM *pub;
+ zend_string *data;
+ int len;
+@@ -4578,11 +4605,12 @@ PHP_FUNCTION(openssl_dh_compute_key)
+
+ PHP_OPENSSL_CHECK_SIZE_T_TO_INT(pub_len, pub_key, 1);
+
+- pkey = Z_OPENSSL_PKEY_P(key)->pkey;
++ EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey;
+
+ if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) {
+ RETURN_FALSE;
+ }
++
+ dh = EVP_PKEY_get0_DH(pkey);
+ if (dh == NULL) {
+ RETURN_FALSE;
+@@ -4612,59 +4640,36 @@ PHP_FUNCTION(openssl_pkey_derive)
+ {
+ zval *priv_key;
+ zval *peer_pub_key;
+- EVP_PKEY *pkey = NULL;
+- EVP_PKEY *peer_key = NULL;
+- EVP_PKEY_CTX *ctx = NULL;
+- size_t key_size;
+ zend_long key_len = 0;
+- zend_string *result;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "zz|l", &peer_pub_key, &priv_key, &key_len) == FAILURE) {
+ RETURN_THROWS();
+ }
+
+- RETVAL_FALSE;
+ if (key_len < 0) {
+ zend_argument_value_error(3, "must be greater than or equal to 0");
+ RETURN_THROWS();
+ }
+
+- key_size = key_len;
+- pkey = php_openssl_pkey_from_zval(priv_key, 0, "", 0);
++ EVP_PKEY *pkey = php_openssl_pkey_from_zval(priv_key, 0, "", 0);
+ if (!pkey) {
+- goto cleanup;
++ RETURN_FALSE;
+ }
+
+- peer_key = php_openssl_pkey_from_zval(peer_pub_key, 1, NULL, 0);
++ EVP_PKEY *peer_key = php_openssl_pkey_from_zval(peer_pub_key, 1, NULL, 0);
+ if (!peer_key) {
+- goto cleanup;
+- }
+-
+- ctx = EVP_PKEY_CTX_new(pkey, NULL);
+- if (!ctx) {
+- goto cleanup;
+- }
+-
+- if (EVP_PKEY_derive_init(ctx) > 0
+- && EVP_PKEY_derive_set_peer(ctx, peer_key) > 0
+- && (key_size > 0 || EVP_PKEY_derive(ctx, NULL, &key_size) > 0)
+- && (result = zend_string_alloc(key_size, 0)) != NULL) {
+- if (EVP_PKEY_derive(ctx, (unsigned char*)ZSTR_VAL(result), &key_size) > 0) {
+- ZSTR_LEN(result) = key_size;
+- ZSTR_VAL(result)[key_size] = 0;
+- RETVAL_NEW_STR(result);
+- } else {
+- php_openssl_store_errors();
+- zend_string_release_ex(result, 0);
+- RETVAL_FALSE;
+- }
++ EVP_PKEY_free(pkey);
++ RETURN_FALSE;
+ }
+
+-cleanup:
++ zend_string *result = php_openssl_pkey_derive(pkey, peer_key, key_len);
+ EVP_PKEY_free(pkey);
+ EVP_PKEY_free(peer_key);
+- if (ctx) {
+- EVP_PKEY_CTX_free(ctx);
++
++ if (result) {
++ RETURN_NEW_STR(result);
++ } else {
++ RETURN_FALSE;
+ }
+ }
+ /* }}} */
+--
+2.31.1
+
+From f8f202ae92bf2c92cec4ad8d6bf2f57236ccd976 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 5 Aug 2021 15:58:20 +0200
+Subject: [PATCH 16/39] Avoid DH_compute_key() with OpenSSL 3
+
+Instead construct a proper EVP_PKEY for the public key and
+perform a derive operation.
+
+Unfortunately we can't use a common code path here, because
+EVP_PKEY_set1_encoded_public_key() formerly known as
+EVP_PKEY_set1_tls_encodedpoint() does not appear to work with
+DH keys prior to OpenSSL 3.
+
+(cherry picked from commit cb48260fdd7e8a5a636e68917eca484530af5c94)
+---
+ ext/openssl/openssl.c | 64 +++++++++++++++++++++++++++----------------
+ 1 file changed, 40 insertions(+), 24 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index bf3f70d355..91d2589aad 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -4588,16 +4588,48 @@ static zend_string *php_openssl_pkey_derive(EVP_PKEY *key, EVP_PKEY *peer_key, s
+ return result;
+ }
+
++static zend_string *php_openssl_dh_compute_key(EVP_PKEY *pkey, char *pub_str, size_t pub_len) {
++#if PHP_OPENSSL_API_VERSION >= 0x30000
++ EVP_PKEY *peer_key = EVP_PKEY_new();
++ if (!peer_key || EVP_PKEY_copy_parameters(peer_key, pkey) <= 0 ||
++ EVP_PKEY_set1_encoded_public_key(peer_key, (unsigned char *) pub_str, pub_len) <= 0) {
++ php_openssl_store_errors();
++ EVP_PKEY_free(peer_key);
++ return NULL;
++ }
++
++ zend_string *result = php_openssl_pkey_derive(pkey, peer_key, 0);
++ EVP_PKEY_free(peer_key);
++ return result;
++#else
++ DH *dh = EVP_PKEY_get0_DH(pkey);
++ if (dh == NULL) {
++ return NULL;
++ }
++
++ BIGNUM *pub = BN_bin2bn((unsigned char*)pub_str, (int)pub_len, NULL);
++ zend_string *data = zend_string_alloc(DH_size(dh), 0);
++ int len = DH_compute_key((unsigned char*)ZSTR_VAL(data), pub, dh);
++ BN_free(pub);
++
++ if (len < 0) {
++ php_openssl_store_errors();
++ zend_string_release_ex(data, 0);
++ return NULL;
++ }
++
++ ZSTR_LEN(data) = len;
++ ZSTR_VAL(data)[len] = 0;
++ return data;
++#endif
++}
++
+ /* {{{ Computes shared secret for public value of remote DH key and local DH key */
+ PHP_FUNCTION(openssl_dh_compute_key)
+ {
+ zval *key;
+ char *pub_str;
+ size_t pub_len;
+- DH *dh;
+- BIGNUM *pub;
+- zend_string *data;
+- int len;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "sO", &pub_str, &pub_len, &key, php_openssl_pkey_ce) == FAILURE) {
+ RETURN_THROWS();
+@@ -4606,32 +4638,16 @@ PHP_FUNCTION(openssl_dh_compute_key)
+ PHP_OPENSSL_CHECK_SIZE_T_TO_INT(pub_len, pub_key, 1);
+
+ EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey;
+-
+ if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) {
+ RETURN_FALSE;
+ }
+
+- dh = EVP_PKEY_get0_DH(pkey);
+- if (dh == NULL) {
+- RETURN_FALSE;
+- }
+-
+- pub = BN_bin2bn((unsigned char*)pub_str, (int)pub_len, NULL);
+-
+- data = zend_string_alloc(DH_size(dh), 0);
+- len = DH_compute_key((unsigned char*)ZSTR_VAL(data), pub, dh);
+-
+- if (len >= 0) {
+- ZSTR_LEN(data) = len;
+- ZSTR_VAL(data)[len] = 0;
+- RETVAL_NEW_STR(data);
++ zend_string *result = php_openssl_dh_compute_key(pkey, pub_str, pub_len);
++ if (result) {
++ RETURN_NEW_STR(result);
+ } else {
+- php_openssl_store_errors();
+- zend_string_release_ex(data, 0);
+- RETVAL_FALSE;
++ RETURN_FALSE;
+ }
+-
+- BN_free(pub);
+ }
+ /* }}} */
+
+--
+2.31.1
+
+From fbb13f6bf183f1d2d95fe2aa48edce300aad5fd7 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 4 Aug 2021 14:54:59 +0200
+Subject: [PATCH 17/39] Use different algorithm in pkcs7 tests
+
+The default of OPENSSL_CIPHER_RC2_40 is no longer (non-legacy)
+supported in OpenSSL 3, specify a newer cipher instead.
+
+We should probably either change the default (if acceptable) or
+make the parameter required.
+
+(cherry picked from commit 563b3e3472d7c5e3502fb49ef023b6e18ed0f22a)
+---
+ .../tests/openssl_pkcs7_decrypt_basic.phpt | 3 ++-
+ .../tests/openssl_pkcs7_encrypt_basic.phpt | 23 ++++++++++---------
+ 2 files changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt b/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt
+index eb0698da9f..0d4da7a251 100644
+--- a/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt
++++ b/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt
+@@ -19,8 +19,9 @@ $single_cert = "file://" . __DIR__ . "/cert.crt";
+ $headers = array("test@test", "testing openssl_pkcs7_encrypt()");
+ $wrong = "wrong";
+ $empty = "";
++$cipher = OPENSSL_CIPHER_AES_128_CBC;
+
+-openssl_pkcs7_encrypt($infile, $encrypted, $single_cert, $headers);
++openssl_pkcs7_encrypt($infile, $encrypted, $single_cert, $headers, 0, $cipher);
+ var_dump(openssl_pkcs7_decrypt($encrypted, $outfile, $single_cert, $privkey));
+ var_dump(openssl_pkcs7_decrypt($encrypted, $outfile, openssl_x509_read($single_cert), $privkey));
+ var_dump(openssl_pkcs7_decrypt($encrypted, $outfile, $single_cert, $wrong));
+diff --git a/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt b/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt
+index ef9b25e70b..7a600bc292 100644
+--- a/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt
++++ b/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt
+@@ -20,19 +20,20 @@ $headers = array("test@test", "testing openssl_pkcs7_encrypt()");
+ $empty_headers = array();
+ $wrong = "wrong";
+ $empty = "";
++$cipher = OPENSSL_CIPHER_AES_128_CBC;
+
+-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $headers));
+-var_dump(openssl_pkcs7_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers));
++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $headers, 0, $cipher));
++var_dump(openssl_pkcs7_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers, 0, $cipher));
+ var_dump(openssl_pkcs7_decrypt($outfile, $outfile2, $single_cert, $privkey));
+-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $assoc_headers));
+-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $empty_headers));
+-var_dump(openssl_pkcs7_encrypt($wrong, $outfile, $single_cert, $headers));
+-var_dump(openssl_pkcs7_encrypt($empty, $outfile, $single_cert, $headers));
+-var_dump(openssl_pkcs7_encrypt($infile, $empty, $single_cert, $headers));
+-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $wrong, $headers));
+-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $empty, $headers));
+-var_dump(openssl_pkcs7_encrypt($infile, $outfile, $multi_certs, $headers));
+-var_dump(openssl_pkcs7_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs) , $headers));
++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $assoc_headers, 0, $cipher));
++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $single_cert, $empty_headers, 0, $cipher));
++var_dump(openssl_pkcs7_encrypt($wrong, $outfile, $single_cert, $headers, 0, $cipher));
++var_dump(openssl_pkcs7_encrypt($empty, $outfile, $single_cert, $headers, 0, $cipher));
++var_dump(openssl_pkcs7_encrypt($infile, $empty, $single_cert, $headers, 0, $cipher));
++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $wrong, $headers, 0, $cipher));
++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $empty, $headers, 0, $cipher));
++var_dump(openssl_pkcs7_encrypt($infile, $outfile, $multi_certs, $headers, 0, $cipher));
++var_dump(openssl_pkcs7_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs), $headers, 0, $cipher));
+
+ if (file_exists($outfile)) {
+ echo "true\n";
+--
+2.31.1
+
+From e6d9c6b6cfcc255124bb42b409c29db854ff828d Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 5 Aug 2021 16:30:55 +0200
+Subject: [PATCH 18/39] Use different algorithm in cms tests
+
+Same as with pkcs7, switch these tests to use an algorithm that
+OpenSSL 3 supports out of the box.
+
+Once again, we should consider changing the default or making it
+required.
+
+(cherry picked from commit ec4d926a80fe93c80d2b52f0178bc627097d9288)
+---
+ ext/openssl/tests/openssl_cms_decrypt_basic.phpt | 3 ++-
+ ext/openssl/tests/openssl_cms_encrypt_der.phpt | 3 ++-
+ ext/openssl/tests/openssl_cms_encrypt_pem.phpt | 3 ++-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/ext/openssl/tests/openssl_cms_decrypt_basic.phpt b/ext/openssl/tests/openssl_cms_decrypt_basic.phpt
+index 86c70f4fde..709194ec05 100644
+--- a/ext/openssl/tests/openssl_cms_decrypt_basic.phpt
++++ b/ext/openssl/tests/openssl_cms_decrypt_basic.phpt
+@@ -15,8 +15,9 @@ $single_cert = "file://" . __DIR__ . "/cert.crt";
+ $headers = array("test@test", "testing openssl_cms_encrypt()");
+ $wrong = "wrong";
+ $empty = "";
++$cipher = OPENSSL_CIPHER_AES_128_CBC;
+
+-openssl_cms_encrypt($infile, $encrypted, $single_cert, $headers);
++openssl_cms_encrypt($infile, $encrypted, $single_cert, $headers, cipher_algo: $cipher);
+
+ var_dump(openssl_cms_decrypt($encrypted, $outfile, $single_cert, $privkey));
+ print("\nDecrypted text:\n");
+diff --git a/ext/openssl/tests/openssl_cms_encrypt_der.phpt b/ext/openssl/tests/openssl_cms_encrypt_der.phpt
+index e7aa8f4dad..06bfcabeb4 100644
+--- a/ext/openssl/tests/openssl_cms_encrypt_der.phpt
++++ b/ext/openssl/tests/openssl_cms_encrypt_der.phpt
+@@ -14,8 +14,9 @@ $decryptfile = $tname . ".out";
+ $single_cert = "file://" . __DIR__ . "/cert.crt";
+ $privkey = "file://" . __DIR__ . "/private_rsa_1024.key";
+ $headers = array("test@test", "testing openssl_cms_encrypt()");
++$cipher = OPENSSL_CIPHER_AES_128_CBC;
+
+-var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_DER));
++var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_DER, $cipher));
+ if (openssl_cms_decrypt($cryptfile, $decryptfile, $single_cert, $privkey, OPENSSL_ENCODING_DER) == false) {
+ print "DER decrypt error\n";
+ print "recipient:\n";
+diff --git a/ext/openssl/tests/openssl_cms_encrypt_pem.phpt b/ext/openssl/tests/openssl_cms_encrypt_pem.phpt
+index 929f3f2e02..4030862391 100644
+--- a/ext/openssl/tests/openssl_cms_encrypt_pem.phpt
++++ b/ext/openssl/tests/openssl_cms_encrypt_pem.phpt
+@@ -14,8 +14,9 @@ $decryptfile = $tname . ".pemout";
+ $single_cert = "file://" . __DIR__ . "/cert.crt";
+ $privkey = "file://" . __DIR__ . "/private_rsa_1024.key";
+ $headers = array("test@test", "testing openssl_cms_encrypt()");
++$cipher = OPENSSL_CIPHER_AES_128_CBC;
+
+-var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_PEM));
++var_dump(openssl_cms_encrypt($infile, $cryptfile, $single_cert, $headers, OPENSSL_CMS_BINARY, OPENSSL_ENCODING_PEM, $cipher));
+ if (openssl_cms_decrypt($cryptfile, $decryptfile, $single_cert, $privkey, OPENSSL_ENCODING_PEM) == false) {
+ print "PEM decrypt error\n";
+ print "recipient:\n";
+--
+2.31.1
+
+From 31e60d155d01253ab42f490fecd0f2a5e537bc47 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 5 Aug 2021 17:07:44 +0200
+Subject: [PATCH 19/39] Use larger key size for DSA/DH tests
+
+OpenSSL 3 validates allowed sizes strictly, pick minimum sizes
+that are supported.
+
+(cherry picked from commit 1cf4fb739f7a4fa8404a4c0958f13d04eae519d4)
+---
+ ext/openssl/tests/bug73711.cnf | 3 ---
+ ext/openssl/tests/bug73711.phpt | 11 ++++++++---
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+ delete mode 100644 ext/openssl/tests/bug73711.cnf
+
+diff --git a/ext/openssl/tests/bug73711.cnf b/ext/openssl/tests/bug73711.cnf
+deleted file mode 100644
+index 0d27d910d4..0000000000
+--- a/ext/openssl/tests/bug73711.cnf
++++ /dev/null
+@@ -1,3 +0,0 @@
+-[ req ]
+-default_bits = 384
+-
+diff --git a/ext/openssl/tests/bug73711.phpt b/ext/openssl/tests/bug73711.phpt
+index 0b3f91b8fe..4e4bba8aa8 100644
+--- a/ext/openssl/tests/bug73711.phpt
++++ b/ext/openssl/tests/bug73711.phpt
+@@ -6,9 +6,14 @@ if (!extension_loaded("openssl")) die("skip openssl not loaded");
+ ?>
+ --FILE--
+ <?php
+-$cnf = __DIR__ . DIRECTORY_SEPARATOR . 'bug73711.cnf';
+-var_dump(openssl_pkey_new(["private_key_type" => OPENSSL_KEYTYPE_DSA, 'config' => $cnf]));
+-var_dump(openssl_pkey_new(["private_key_type" => OPENSSL_KEYTYPE_DH, 'config' => $cnf]));
++var_dump(openssl_pkey_new([
++ "private_key_type" => OPENSSL_KEYTYPE_DSA,
++ "private_key_bits" => 1024,
++]));
++var_dump(openssl_pkey_new([
++ "private_key_type" => OPENSSL_KEYTYPE_DH,
++ "private_key_bits" => 512,
++]));
+ echo "DONE";
+ ?>
+ --EXPECTF--
+--
+2.31.1
+
+From b93f08093684d24a80857fec7ede1c41f440cff5 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 4 Aug 2021 13:54:26 +0200
+Subject: [PATCH 20/39] Skip some tests if cipher not available
+
+(cherry picked from commit d23a8b33abc3cd7e516563877a3f698b7a94ac10)
+---
+ ext/openssl/tests/bug71917.phpt | 1 +
+ ext/openssl/tests/bug72362.phpt | 1 +
+ ext/openssl/tests/openssl_decrypt_basic.phpt | 15 ++++++++++-----
+ 3 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/ext/openssl/tests/bug71917.phpt b/ext/openssl/tests/bug71917.phpt
+index a68cf0162c..0cc518c4ef 100644
+--- a/ext/openssl/tests/bug71917.phpt
++++ b/ext/openssl/tests/bug71917.phpt
+@@ -3,6 +3,7 @@ Bug #71917: openssl_open() returns junk on envelope < 16 bytes
+ --SKIPIF--
+ <?php
+ if (!extension_loaded("openssl")) die("skip openssl not loaded");
++if (!in_array('rc4', openssl_get_cipher_methods())) die('skip rc4 not available');
+ ?>
+ --FILE--
+ <?php
+diff --git a/ext/openssl/tests/bug72362.phpt b/ext/openssl/tests/bug72362.phpt
+index cd6ec1e838..b73cac7425 100644
+--- a/ext/openssl/tests/bug72362.phpt
++++ b/ext/openssl/tests/bug72362.phpt
+@@ -3,6 +3,7 @@ Bug #72362: OpenSSL Blowfish encryption is incorrect for short keys
+ --SKIPIF--
+ <?php
+ if (!extension_loaded("openssl")) die("skip openssl not loaded");
++if (!in_array('bf-ecb', openssl_get_cipher_methods())) die('skip bf-ecb not available');
+ ?>
+ --FILE--
+ <?php
+diff --git a/ext/openssl/tests/openssl_decrypt_basic.phpt b/ext/openssl/tests/openssl_decrypt_basic.phpt
+index 4175e703d2..e846b42e78 100644
+--- a/ext/openssl/tests/openssl_decrypt_basic.phpt
++++ b/ext/openssl/tests/openssl_decrypt_basic.phpt
+@@ -24,10 +24,15 @@ $padded_data = $data . str_repeat(' ', 16 - (strlen($data) % 16));
+ $encrypted = openssl_encrypt($padded_data, $method, $password, OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING, $iv);
+ $output = openssl_decrypt($encrypted, $method, $password, OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING, $iv);
+ var_dump(rtrim($output));
+-// if we want to prefer variable length cipher setting
+-$encrypted = openssl_encrypt($data, "bf-ecb", $password, OPENSSL_DONT_ZERO_PAD_KEY);
+-$output = openssl_decrypt($encrypted, "bf-ecb", $password, OPENSSL_DONT_ZERO_PAD_KEY);
+-var_dump($output);
++
++if (in_array("bf-ecb", openssl_get_cipher_methods())) {
++ // if we want to prefer variable length cipher setting
++ $encrypted = openssl_encrypt($data, "bf-ecb", $password, OPENSSL_DONT_ZERO_PAD_KEY);
++ $output = openssl_decrypt($encrypted, "bf-ecb", $password, OPENSSL_DONT_ZERO_PAD_KEY);
++ var_dump($output === $data);
++} else {
++ var_dump(true);
++}
+
+ // It's okay to pass $tag for a non-authenticated cipher.
+ // It will be populated with null in that case.
+@@ -39,5 +44,5 @@ var_dump($tag);
+ string(45) "openssl_encrypt() and openssl_decrypt() tests"
+ string(45) "openssl_encrypt() and openssl_decrypt() tests"
+ string(45) "openssl_encrypt() and openssl_decrypt() tests"
+-string(45) "openssl_encrypt() and openssl_decrypt() tests"
++bool(true)
+ NULL
+--
+2.31.1
+
+From bc8281431c8ce82c232fee5674b945af95bbd860 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 5 Aug 2021 16:29:43 +0200
+Subject: [PATCH 21/39] Use different cipher in one more CMS test
+
+Followup to ec4d926a80fe93c80d2b52f0178bc627097d9288 -- I failed
+to squash in this commit.
+
+(cherry picked from commit a2c201351b32b1a7c44f6c6692c2a9fca9179e17)
+---
+ .../tests/openssl_cms_encrypt_basic.phpt | 23 ++++++++++---------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/ext/openssl/tests/openssl_cms_encrypt_basic.phpt b/ext/openssl/tests/openssl_cms_encrypt_basic.phpt
+index f1a0c6af8b..ee706ebfba 100644
+--- a/ext/openssl/tests/openssl_cms_encrypt_basic.phpt
++++ b/ext/openssl/tests/openssl_cms_encrypt_basic.phpt
+@@ -18,20 +18,21 @@ $headers = array("test@test", "testing openssl_cms_encrypt()");
+ $empty_headers = array();
+ $wrong = "wrong";
+ $empty = "";
++$cipher = OPENSSL_CIPHER_AES_128_CBC;
+
+-var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $headers));
+-var_dump(openssl_cms_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers));
++var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $headers, cipher_algo: $cipher));
++var_dump(openssl_cms_encrypt($infile, $outfile, openssl_x509_read($single_cert), $headers, cipher_algo: $cipher));
+ var_dump(openssl_cms_decrypt($outfile, $outfile2, $single_cert, $privkey));
+ readfile($outfile2);
+-var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $assoc_headers));
+-var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $empty_headers));
+-var_dump(openssl_cms_encrypt($wrong, $outfile, $single_cert, $headers));
+-var_dump(openssl_cms_encrypt($empty, $outfile, $single_cert, $headers));
+-var_dump(openssl_cms_encrypt($infile, $empty, $single_cert, $headers));
+-var_dump(openssl_cms_encrypt($infile, $outfile, $wrong, $headers));
+-var_dump(openssl_cms_encrypt($infile, $outfile, $empty, $headers));
+-var_dump(openssl_cms_encrypt($infile, $outfile, $multi_certs, $headers));
+-var_dump(openssl_cms_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs) , $headers));
++var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $assoc_headers, cipher_algo: $cipher));
++var_dump(openssl_cms_encrypt($infile, $outfile, $single_cert, $empty_headers, cipher_algo: $cipher));
++var_dump(openssl_cms_encrypt($wrong, $outfile, $single_cert, $headers, cipher_algo: $cipher));
++var_dump(openssl_cms_encrypt($empty, $outfile, $single_cert, $headers, cipher_algo: $cipher));
++var_dump(openssl_cms_encrypt($infile, $empty, $single_cert, $headers, cipher_algo: $cipher));
++var_dump(openssl_cms_encrypt($infile, $outfile, $wrong, $headers, cipher_algo: $cipher));
++var_dump(openssl_cms_encrypt($infile, $outfile, $empty, $headers, cipher_algo: $cipher));
++var_dump(openssl_cms_encrypt($infile, $outfile, $multi_certs, $headers, cipher_algo: $cipher));
++var_dump(openssl_cms_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs), $headers, cipher_algo: $cipher));
+
+ if (file_exists($outfile)) {
+ echo "true\n";
+--
+2.31.1
+
+From c42a69def274fb77cbcb3db4189841e3f582803a Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Fri, 6 Aug 2021 10:35:49 +0200
+Subject: [PATCH 22/39] Generate pkcs12_read test inputs on the fly
+
+The old p12_with_extra_certs.p12 file uses an unsupported something.
+
+(cherry picked from commit 5843ba518cfb9ac6ae6d6a69629239cbf77d4cfb)
+---
+ ext/openssl/tests/bug74022_2.phpt | 10 ++--
+ .../tests/openssl_pkcs12_read_basic.phpt | 46 ++++++++++--------
+ ext/openssl/tests/p12_with_extra_certs.p12 | Bin 3205 -> 0 bytes
+ 3 files changed, 31 insertions(+), 25 deletions(-)
+ delete mode 100644 ext/openssl/tests/p12_with_extra_certs.p12
+
+diff --git a/ext/openssl/tests/bug74022_2.phpt b/ext/openssl/tests/bug74022_2.phpt
+index 5df37fb3c9..9c38387157 100644
+--- a/ext/openssl/tests/bug74022_2.phpt
++++ b/ext/openssl/tests/bug74022_2.phpt
+@@ -12,11 +12,13 @@ function test($p12_contents, $password) {
+ var_dump(count($cert_data['extracerts']));
+ }
+
+-$p12_base64 = 'MIIW+QIBAzCCFr8GCSqGSIb3DQEHAaCCFrAEghasMIIWqDCCEV8GCSqGSIb3DQEHBqCCEVAwghFMAgEAMIIRRQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIQOfCxIAgGIICAggAgIIRGFTkvHpJjCtFjukXYVlhyOIqKiS8Zvg84dX244hhI0S51Uyn/tlXM2GD/3hDNVxcVKwP/fKN21lEkoXoK4h2/5BY3qCdZa3Ef3vk44b/+FGCUAqvsOo1ZjD2P/sBGhLu3aFnQ6ktUXlKV4cnqhlF62AqY4e5efQzmJXn+gI8cSNI5c+qQ0RQgGoRY4nJfvMSZG0/DAkirjGikU/2TZd8LwLkxVUBYbF5/T0fNtA3o99+4tF+8ZRv6ArYjplRdwcBbMbzGhn3ytCq6cmVid9iLjwHJFmvAPXKbmu0Lh5eRRznX9gBWlzGd08Q/ch0MW2ehZTu1A2VrNWl+FKWSk8l0MlSoTPJFutFiejRvMr6VzbQItyJ/mtrNa9b1Hicgoj9HaBB6arx4wKORlbSOxFNOWdTCUhFdqthK5o7b9i/owyVgyY0s7BFEZChc0zGpRq7BLrynY79b+pHKzpil9isuisp1++piHZx9Y/bpC7OP5FlYF9+3TJL0EpEFQD8FqEoqcMFRxIDWGpCQiLGcmL14OH1JKSgOJEAgogsIF/KQhvWeKcUSJlai+0sskl8mOrCt2EJwuRvzmemuzebYN3JMOiBXKONYR0yU8AeAyNTgSBimWhACtikUyfpgZXlIeXyFMvj9fmd0I/zqjaW4upqrCudCOj/CWx7+e+8udfJxI7agWwrZMf1BEkOhRFOHOIuV+IEbaoMP6vVrGlhK71oN+gnoes5ivohpFDJWSZ3+1fMh56vfNynuM2wLJO7FTROPla+4ug33V/2ubGpoIyXn2lTSbuXaYDfsXMa1inakOMW9Q+PHGdIjZrwQU/u9Q2H0IlwFd4uQojZo15SRf4xh5FOuUrrfGRAnp1mWHALTBqd2VnkgqtBl8rXZXqA+CiEhEDhTAQmvf+wCKd3FklrhV+p65YcfRK9OJv5aFQM1/+WbJozF4/Wi5j4rtIDPrgMMEflOyoZIxGxDOaklyAvaasRU2TT8E2LIEvGKOzlrhIZqWyRESjgXdh6l0UBMaVAidIZ0JLf+8fqSZ0Zia5iAaJpm82MQr/PVXC4lqqxDlHhefwM3OKfZVkfAw0a2eePM5YkIxAgMpAstBt32UIixlj/5l4MwqzP8Reb4MsV6Fph2e14vsV1diLBaJI3hrU5UBVEDWV0GSbwdhZLtdubSaBHcv5v9aZ1cdFKL6d2rHksW9ooNnh/ljPxmVlfHbb8sPYDXmLmBNJdNV1gQouhKKrt0ov1J9+sqE53D9+9dfRwf/myYlnyNgqU4vNMrZI2flyugkYoUxIC8stVF46zfL5QkSg3GqdLQC4gpeJ0WdTSyOBaOgUvqGdSARb5bXm1VXF5IxVg1B4v+puNIHS9yuphXUJvw6xWWPjbQAllDrPjMqAbxmF465vFyQP0qEvMjRD+SaFIgW4KjMqfteKo4MgqKTRF4UP9r0HkwRErOznxWDfSxzXYztY6U72NdifN9IIFiBikKQqZvfvaN+1jukehSRpGQHQB5OxeeKThJZJGiUC5Fgvl7lPb6Djx8Rfba/FJvVsR2KFS64sArtUKmC6LcJxEY9WcsiJTHek817zvYej7FD1NxuttNp+ue9ArOoIhOEf08HIOu3d2yjeRlN5CJ/jIdKYlZW6m6Ap1M+OUHhJTF73K6lKKD9Diwa3s6FoqOwtZF4uYwHnCG218BMY8GgEVD73x5KjDOP02Y6EakZNp/9QIqQT4WkMWXMaqAPADtoh8X1FJLlnvs2Ko+hLlPxuPaIA4KvSuuocnWx/6HJbdqHUS/Se+JJo0Igt4Svax1R2kvoIPuQmPmHJ6l7CeZZiNbe+baFSx+V6g/6AgHUsUOSqGvUIEns1uIE9CQ8w0G3yLVonjERJLrdj+em3Pt7fxrxoOI4nwjplX0wJk0rkQREiS8ULQDHueptUcxJxMKpugAc4CL+BsHohkhm4kpOEmviKDwzxytQhDp2Fj2PRO9kqyNrNfzNGCN5709blEIVYTtonELI2vR5Ap+O2pH+AlqrnHWgeOYAKAyWT13xCNRsGNdv2sCDDiHqxq01IBzYhPvoWzECOmGbJRRSGOVzYCJJpVjl0NNKv9ucmftSQRjm6xgLIqv1xrehDYuJ/IMsYQ5QwXBGxy7nkeRg+onWzA0ZnEWgzLs3T/Pj7z/TPQWiN03MH24RvQXTWBqp9iBwXpsCZVgUIM/VLCQJn0/V5gfRy9Ne0rk2/tHMnzGHvll5Spoy6WkxSfQ8c8CjTilaoPWV6fOcNB2Z6ZuTqX0fbnxcEAu2fOK7e6ryGipEgaxrdiopDTlgPEFMdGUETbUh0ACrv/gNsS+m5MtNisWnhxFEiXrsWoWIgW/6TgRJGo+l52bh/xxC0bwHbYuHK62sxDVeXpBOnA4VE+WckWsC0CKYJvv4vfTbLI46fyd3lnlcSuHYM4SdbND7THNeK+KB5GyuUFLgAhhtZv8ceEo63IOlBUUy1NlWnr0cbidxvVnOugFLExCV5QGr+xbrssIibQxs8AfOBK8Cxh83IlzJVe7dX1mZVG1c6AM6SKSC6F0LBOeNEvcLlz4PBMIciubCE6ecdXCzJYFbj9ERDlnrZMKrnATRMsgCPaWdyYgQwkDuCj5uqf4aiKLzA61918hLY3MB7mSyJcCkXDYKr11Br0YSAdu8uG6IjpiUQS2PFz8E8XHBmO/uobhEuCPR2LnUv+xFN8zoPQlA5ueRz1yBF8L+CsvDGp/N3KF26ETWlvmnEdt7foE+o/J7aG6xO/CNB+/+yGbVPZRVAntZec9nbqlQ55qECnWtQNnShW7+3RSGamWeTtE2DyRSfd/62JkPNEY25jbBUIkMNtKolA5dbYa+u50S3lvakMmvQvzcSC3PONajKHgk4mBn3qf9X2uM5RDL83M7489r6JPcxTnNK27rQoxplkxLiN8HuB+AB5hp82WoyvLydR4hoBnJPIYKMcmEfIR+SgLoCyNIQLjzk5Iyk1ZwdwsjyNPXi1/HHZq8+NhoTCupjGfWgXghoz89MTYAjpMvOlES2rgFuCdphSc8Nd1uQtZx4CLMOU0gut0PI81ePBBI0iG74PWMEcp5HlHHY/hPTaRkBFLYkq9CWmJc1PfjiCWf3pwRmT7dUnmcptynexIMOZt2Nd76jc+g7k5MmEK+Qdz7/c1un4sVLquxdY6nUY/znLz+2zC/OTSsF39+rak3p8TXR0kBNsHl8UTioi4CGhCMsWsQy9me25TDHzbtIvBPVp9xXufsOe2wqPLjq3iNEGXTsagx3sLvl7BJ6WW/YMC7sUpjx1Ai3zkqViW0jQB+BzMZjfYM/8Yj31EEE+WssxY+NfitBgZzeMGGjNOAKp7XN0glwhuo1G2/APyU/Zopx3gMYj5OExgkZ7kvK++7+NlPmE+8AEuZ/uf30TtKwvRXOSvAMqqm26kb/WQPCj1xFQ0AEDl0Sbyfgk1E51Cd/ujL0t32FNkSoE8pe3IaTnwAnW7NHTZ/RByh2nsr0ThfFg4pFFuSD4dzU8r2J/4YJG3B06eyyTRLoyLBQwzwIgzGBAU8USdD8CXlA8SkfBbF39500ZRNcMIt6wdQa1CHAUHDLPw9JF9Q0FwCspgkjc9+lTRZMtumN5ChgypSkUB1dzLV2hqeQzDngVjcco/CoxM0Svm8gGrM9qobCTGzGF8/wZljv1yRiqu6HGFYWDAQ/p+wWx6ScstxEAB+5R5GrOedgd4zPXi2NMvyeN+ACFRBSPkhXIXpLZADvBi/WQMYbHia1wL8WUrSGQuB4P46cWGyseaxl//6GQ9IoGbK3XuLIPeE+BpPLB0H9LSLY+5f3qOEkKzCCW0z+68ZMlanlsThLKhqk8yrmJhV4788Tr7BC3eGbAie1urrrfUR613Jsp5peLSJuWQHdWCE/fdKgoSsRJ+DYkPoyS1YNz4BF4yz1Oem9Mti7gvgTQNX6g6PCu0rN8B6HIgY9TvWy5OCoZjJKasb+OgTMld7TJDnyK5/JcvDKHNVwcpK74lxcVX7IRorP/eh4IQ1+P/Gh06A62RHp2dEh/fNuKeCiRM2vGH0gdIN/Ca6MX8MqazgJq2EONyWiqRoGPqqZpAVTa8l5kgGvxQE/CQ4x0uAxwresRRTUZ+fJEanAhTWYgI5mRoEkG88UZjyCWmCnpNMQRYHoq7iY0So5qUdkHvpUA48cNMyztPEEHsUyWC36ZCyNsQN26FoJrG9TqXedBrhcki0sPOWugvKtGsdTT354wJTDe5OCo0AH3eFo/auuuAk/DF7yu614UCmKtXHYJ61GpIkjBu9WrPAIJhndMqfGMD/yU4UMEPHyojqHvU0BSgv1k76vI3K2lqERkaNYFfzRNj+e7k+NNos8w7XCzilWBL2ePB3pG5xfivcH4tYFm0FbnIkSz52VIy+PTiK7QQuBPDRTcn1k41+9vxQxRWpsqM/NP+4gqGozNyANXLQ64Y+QXSnWrD+xMjL/kVFwUBJ2HaAIJHjZ7ZqLRzXVOUbQ9pivJiBkXvLptSo72Iw4zsbRd1x8WNEaihx1MBAj+s+4MNdC5MBkQMlSB0PTJzs9xlz0gN+Oz0lohH6JO7ngPJUYbo2AIWEYZN+9kn/RyHblQTElrJeLf1jGNi4anBfzbsIXQuVm/nsrE5MH23X66+rJzUk8Fc5JAIDGBslkDPg3UNnElcE3cYbcB/ZzjFtgz8ducWKQmI+Yqv4p7BVXji/rHPim8vL6P5xZc95tbIonp5bQH+PPSmcfDk3rrf5mS58dJvWh/UpwcfdVvUAsWLJEV1lUBg1qecVbCsa6Oy7tJ2ZK7e3KdtZrmXiYpSAnSzRNJotr4g4H99brG6IwUx3qk5BE4x3C8MpSb+1NcKnM9nhqwAGRb9sfVXG38eNltm7hDnsolQcFQmHkDSM4arUVRqmsG8O16bThtlFWbYYN355aGQxrO2pICnt0ZOAI5CA3Rl8FprhFZgVy4pcpMVwy2zCNaYGJoGYsxDm/lEWJbTGcVm6YkyaZvdkXM1uAVegLZOCKnlW9H7b1uU3NvUw4Qx3DhI5xMD9jZhlXIsYfa9s5NQjTeIX8fFbx1fdENpHjVRxs82DO26uLEaJpoL/Ywn1xfs1uV0VQb2NGPvUJKysjMRoX0Zfa0hsSBhw/ZSlyX1xfQY8ShusVswf3zEnwI1LTgtr0CvBNwnuaSDv/IoypEfCOuMrJEGJuTPDbGGyS4VeRf0He5Dk9RskehgrJcwhlw+hXajR6SluODcsEGfL+eOUjAOO9agWaqM2CfV52/vJNhA5KMEJwHuQAU1SHr4+xaW4EKWPlxB6Sjjz/IuL+toLBetBA3ZhEfokac6rQplUIiOICd3Ghwi1rpUZPL5YuP0murhpBGTdzMzGSMhSZ74LeAcoRKEG4rKKIS3fRS65QMlaLC6uOT8givHdXsk+4zLBF0BnYAe4bq8RDcpt9TJRczL6+NaxYxa36R+DRin4U1SwaUdIvEKaEDBdVLnzKkpAim5cww1MYkGZmFcVg8u8fSnoz5TeorZy00dQCMCC+SyMb58TTA08UrCOSq07+ILregexlx+Cxpbgpabo858lkJLDpPJmq8YQmog2gaMstJbpyV3M4wf1GL4ylPurPWUuyX58H8oRyX/FH79cpsbyeNoghwfvRVw8/tOUyF1DbA8Lw0HauIHTQwMTOvREPCPmlMvldIUJxHqIpqcsXESIWT/+YaHBiKGueGqPOdkFPtXSyf4t1Ka56M/9ftvdR/oFtr/iApE0Hyosz84INF/Rq9HYd8jrVb3IcQw637U2s4sE+I95+c+VaYxcDq29Jd2jD3uZfn6vbxb7Zz//Z8G4PGBNDns+D/jDoAMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECDpR8wgSXD4AAgIIAASCBMijRdwb0L38qXtBGebx6l35L3eR8/NPfJTyDKqYQOiIhNfYp/f+Ml9g3NlCB+ba03BZBCFSo1a9csjMZ1fDgS5AoNE683hbPdNj6D5JYQtvOpX/D5rawmI0iuDTIc6GOpN5PS0ds9OLnlS6pagq3U7QycuiPR0jVq72qzQUDxnqXU0XO+IwQXFP5UhKrPJe/cbUotznQPGH5g88ydM9YelIvIVImXLlXeVLY8CtzRQPSduX1zckVUMktrpSvqJUhVuN4ikhh+4ga1LvtaziOibk6HNekSlN13sqSQ7GeWGToB1AOmN8i1LZmWRnrPG61dT3uPg0R/5rPq6hrNQvAnx7Mpq7Uz1OuzDzGoaBtX+/CVIpeYLAYm7hdKouT84hk7qsT9ls1Dwb5P1C8HjBWas0KufoyxoHL61A+xGIcHkbOeVNy20AFUf7Xhb+kPlSdOhP3Ik1F2iUXa0pFxqTNcsmTDRzAReciYxVJ0lOTbqX7O6/a+U/sT109GqVGZJcpyk1FCUSk3HWbjSKOhxjpvxqfSKexr9ZOTmih7rBNYSY6sRUYgtpQyWNo8iWilwSP3FCBCbRIJrzJ5O6wn0JDTHONqxS9zENz/MvX8oHEZk+mkpxZA4YCodP10zQjzKHsXI1lRWrUARzpDfqGck1BBXXLrLNDL3w+00ipkTdEgtdhNFtHZ7A0Fda62ys5JTKt/oWSi0FPhjXdGnxf+8rBkB/jlKx99Ue6R4S+ve7Eqyl98TelFvX5C6wa63+/kw4/8L5aSlhrAUyYrykmnZ9nb61YY4HTmwpSJP0tHmr3LHxPVx15vp3KIyrYQVvbap+FvfcLjMoU6ckLQDZpQSJdFo86MdNedrKbwmVN7pV/M2b3DjPp5ixLCSXJgK3RaATIxQL88IDv4+ySL0Z2t6jUopZ40liyDnHGDl9zajeQ1WaW4yHS65aVlzYHSFvCGr8F/4Lydk5ax5HHqna6LbFeuQ4kUcUaGfiIagtFW+ueyfOckqLnwYisjG5fQmheONPHb7jg/qHQoKasD4TvmwrvUcG20c5J57oZ80C94zySYpdHTaETXHEOwz7NBPP1hplC1IaAfbhwZ48Z0kWWqddfELUC5miapzthvzpycOzL6zWmTLjyTXPZrbkqYfVrD26bsD/YOo54BThGcBdEfu2chT2eNF0rRZwF5U9TACfzMFYxUIVRq4rWAaerppkK5JNBT/la2QxUElh9HPn+0GGL1BYYEPCihciwWy2BwJs1IgjhU4ARTlukuxK+WLPTflwvlOX5G1P5D57up8kxtDncR5IIuZJgWWSFLGOkGeHXmjynLMqS1OCzIId3dj0c3EYBnku82eItAQd5fk7/rs0Lg0S1XeVSrgPphTgviGXzTWSh28S3VZJ2G7k4dr1P/sJQounjbcDrFyYaFxYXEqyO9L6vFShO5z7/vD5h9uLPddE4vC6PKJxZoWopWncLcLljuYKG0k+y4MV9U0/cESYJWzBbcZZpULdesinhxMg1wNPu5FeeFCsZpdhN2FadIuu/Kcsk6xNeDDIwwYXb3hVY0ARRAo//LyLv3zDB0LWz1LH3qJQeZ53DbgZ4VXQ6uK0yTgSsH4Lwaj5oFBPp4NJ3hdGa7trpJbeUMIxJTAjBgkqhkiG9w0BCRUxFgQUh6FIxf4sbyJnvvC+6J1NHGaa9w0wMTAhMAkGBSsOAwIaBQAEFFkCkI701QHxh2zcZkzDy8bn7qKwBAjafnZaU5r0FgICCAA=';
++$cert = file_get_contents(__DIR__ . "/public.crt");
++$priv = file_get_contents(__DIR__ . "/private.crt");
++$extracert = file_get_contents(__DIR__ . "/cert.crt");
++$pass = "qwerty";
++openssl_pkcs12_export($cert, $p12, $priv, $pass, array('extracerts' => [$extracert, $extracert]));
+
+-$p12 = base64_decode($p12_base64);
+-
+-test($p12, 'qwerty');
++test($p12, $pass);
+ ?>
+ --EXPECT--
+ int(2)
+diff --git a/ext/openssl/tests/openssl_pkcs12_read_basic.phpt b/ext/openssl/tests/openssl_pkcs12_read_basic.phpt
+index b81b4d9dac..8cb2b41fd7 100644
+--- a/ext/openssl/tests/openssl_pkcs12_read_basic.phpt
++++ b/ext/openssl/tests/openssl_pkcs12_read_basic.phpt
+@@ -4,10 +4,12 @@ openssl_pkcs12_read() tests
+ <?php if (!extension_loaded("openssl")) print "skip"; ?>
+ --FILE--
+ <?php
+-$p12_file = __DIR__ . "/p12_with_extra_certs.p12";
+-$p12 = file_get_contents($p12_file);
+-$certs = array();
++
++$cert = file_get_contents(__DIR__ . "/public.crt");
++$priv = file_get_contents(__DIR__ . "/private.crt");
++$extracert = file_get_contents(__DIR__ . "/cert.crt");
+ $pass = "qwerty";
++openssl_pkcs12_export($cert, $p12, $priv, $pass, array('extracerts' => $extracert));
+
+ var_dump(openssl_pkcs12_read("", $certs, ""));
+ var_dump(openssl_pkcs12_read($p12, $certs, ""));
+@@ -73,24 +75,26 @@ MK80GEnRQIkB7uZVk+r0HusK
+ ["extracerts"]=>
+ array(1) {
+ [0]=>
+- string(1111) "-----BEGIN CERTIFICATE-----
+-MIIDBjCCAe4CCQDaL5/+UVeXuTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB
+-VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
+-cyBQdHkgTHRkMB4XDTE1MDYxMDEyNDAwNVoXDTE2MDYwOTEyNDAwNVowRTELMAkG
+-A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
+-IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+-AL/IF7bW0vpEg5A054SDqTi5pkSeie6nyIT77qCAVI5PMlhNjxuqDIlLpCWonvKb
+-LMRtp7t24BsQBRgQgps8mtfRr0gV1qq9HMfDj2bZdGcTShZN/M/BFATwxaNRTHl9
+-ey8zxGcLd4aFFBlVhXHYdBXg/PG/oxJMAFuMwa+KxSP6Mqp1FlOZtvUUieQcToMf
+-Mh8Lbr4g/yHFj5lgWIJ2fmJjHJZ4wf9QBeGUrVqqxzSDEL9f0PGy+grqSHoIzLr3
+-+uhvhoI85nCyZs9+lrELuQKqbiZ8Q6Vmj6JGt3miNBFVTbBpP9GK8sVuVQwgqd8p
+-C3e8hHqv7vwF+s0zjiZ+rCcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdpTtiyDJ
+-0wLB18iunXCMUJpjc/HVYEp5P9vl2E/bcZfGns/8KxNHoe9mgJycr3mwjCjMjVx2
+-L/9q/8XoT02aBncwAx4oZ2H0qfjZppaUSnSc1Uv+dsldDC2mZvJgwXN7jtQmU5P3
+-cspFHuJoYK8AqYJqlO6E4L9uRF7dLEliUnrBpF4BxziwskTquRX+zgD+fmk0L5O8
+-qqvm8btWCxfng+qD7UHFWbUQ2IegZ3VrBWJ2XsxOvokMM4HoHVb0BZgq8Dvu0XJ9
+-EriEQkcydtrRKtlcWHLKcJuNUnkw2qfj+F8mmdaZib8Apa1UCkt0ZlpyYO3V2ejY
+-WIjafwJYrv6f5g==
++ string(1249) "-----BEGIN CERTIFICATE-----
++MIIDbDCCAtWgAwIBAgIJAK7FVsxyN1CiMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD
++VQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5kZSBkbyBTdWwxFTATBgNVBAcTDFBv
++cnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlxdWUgZG8gTi4gQW5nZWxvMR8wHQYJ
++KoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0MB4XDTA4MDYzMDEwMjg0M1oXDTA4
++MDczMDEwMjg0M1owgYExCzAJBgNVBAYTAkJSMRowGAYDVQQIExFSaW8gR3JhbmRl
++IGRvIFN1bDEVMBMGA1UEBxMMUG9ydG8gQWxlZ3JlMR4wHAYDVQQDExVIZW5yaXF1
++ZSBkbyBOLiBBbmdlbG8xHzAdBgkqhkiG9w0BCQEWEGhuYW5nZWxvQHBocC5uZXQw
++gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMteno+QK1ulX4/WDAVBYfoTPRTz
++e4SZLwgael4jwWTytj+8c5nNllrFELD6WjJzfjaoIMhCF4w4I2bkWR6/PTqrvnv+
++iiiItHfKvJgYqIobUhkiKmWa2wL3mgqvNRIqTrTC4jWZuCkxQ/ksqL9O/F6zk+aR
++S1d+KbPaqCR5Rw+lAgMBAAGjgekwgeYwHQYDVR0OBBYEFNt+QHK9XDWF7CkpgRLo
++Ymhqtz99MIG2BgNVHSMEga4wgauAFNt+QHK9XDWF7CkpgRLoYmhqtz99oYGHpIGE
++MIGBMQswCQYDVQQGEwJCUjEaMBgGA1UECBMRUmlvIEdyYW5kZSBkbyBTdWwxFTAT
++BgNVBAcTDFBvcnRvIEFsZWdyZTEeMBwGA1UEAxMVSGVucmlxdWUgZG8gTi4gQW5n
++ZWxvMR8wHQYJKoZIhvcNAQkBFhBobmFuZ2Vsb0BwaHAubmV0ggkArsVWzHI3UKIw
++DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCP1GUnStC0TBqngr3Kx+zS
++UW8KutKO0ORc5R8aV/x9LlaJrzPyQJgiPpu5hXogLSKRIHxQS3X2+Y0VvIpW72LW
++PVKPhYlNtO3oKnfoJGKin0eEhXRZMjfEW/kznY+ZZmNifV2r8s+KhNAqI4PbClvn
++4vh8xF/9+eVEj+hM+0OflA==
+ -----END CERTIFICATE-----
+ "
+ }
+
+--
+2.31.1
+
+From 8e99695bb1f630edee4ddb44ae78e99190b5efb3 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Fri, 6 Aug 2021 11:15:18 +0200
+Subject: [PATCH 23/39] Do not special case export of EC keys
+
+All other private keys are exported in PKCS#8 format, while EC
+keys use traditional format. Switch them to use PKCS#8 format as
+well.
+
+As the OpenSSL docs say:
+
+> PEM_write_bio_PrivateKey_traditional() writes out a private key
+> in the "traditional" format with a simple private key marker and
+> should only be used for compatibility with legacy programs.
+
+(cherry picked from commit f2d3e75933fa155a5281c824263780dbc660ecb1)
+---
+ ext/openssl/openssl.c | 36 ++++---------------
+ .../tests/openssl_pkey_export_basic.phpt | 6 +++-
+ 2 files changed, 11 insertions(+), 31 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 91d2589aad..b360b0506e 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -4225,21 +4225,9 @@ PHP_FUNCTION(openssl_pkey_export_to_file)
+ cipher = NULL;
+ }
+
+- switch (EVP_PKEY_base_id(key)) {
+-#ifdef HAVE_EVP_PKEY_EC
+- case EVP_PKEY_EC:
+- pem_write = PEM_write_bio_ECPrivateKey(
+- bio_out, EVP_PKEY_get0_EC_KEY(key), cipher,
+- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL);
+- break;
+-#endif
+- default:
+- pem_write = PEM_write_bio_PrivateKey(
+- bio_out, key, cipher,
+- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL);
+- break;
+- }
+-
++ pem_write = PEM_write_bio_PrivateKey(
++ bio_out, key, cipher,
++ (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL);
+ if (pem_write) {
+ /* Success!
+ * If returning the output as a string, do so now */
+@@ -4297,21 +4285,9 @@ PHP_FUNCTION(openssl_pkey_export)
+ cipher = NULL;
+ }
+
+- switch (EVP_PKEY_base_id(key)) {
+-#ifdef HAVE_EVP_PKEY_EC
+- case EVP_PKEY_EC:
+- pem_write = PEM_write_bio_ECPrivateKey(
+- bio_out, EVP_PKEY_get0_EC_KEY(key), cipher,
+- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL);
+- break;
+-#endif
+- default:
+- pem_write = PEM_write_bio_PrivateKey(
+- bio_out, key, cipher,
+- (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL);
+- break;
+- }
+-
++ pem_write = PEM_write_bio_PrivateKey(
++ bio_out, key, cipher,
++ (unsigned char *)passphrase, (int)passphrase_len, NULL, NULL);
+ if (pem_write) {
+ /* Success!
+ * If returning the output as a string, do so now */
+diff --git a/ext/openssl/tests/openssl_pkey_export_basic.phpt b/ext/openssl/tests/openssl_pkey_export_basic.phpt
+index 678b7e7299..5cd68d18b8 100644
+--- a/ext/openssl/tests/openssl_pkey_export_basic.phpt
++++ b/ext/openssl/tests/openssl_pkey_export_basic.phpt
+@@ -47,7 +47,11 @@ var_dump($key instanceof OpenSSLAsymmetricKey);
+ object(OpenSSLAsymmetricKey)#%d (0) {
+ }
+ bool(true)
+------BEGIN EC PRIVATE KEY-----%a-----END EC PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgs+Sqh7IzteDBiS5K
++PfTvuWuyt9YkrkuoyiW/6bag6NmhRANCAAQ+riFshYe8HnWt1avx6OuNajipU1ZW
++6BgW0+D/EtDDSYeQg9ngO8qyo5M6cyh7ORtKZVUy7DP1+W+eocaZC+a6
++-----END PRIVATE KEY-----
+ bool(true)
+ bool(true)
+ object(OpenSSLAsymmetricKey)#%d (0) {
+--
+2.31.1
+
+From 87bec9d2942be4a87cccb0d28cb3e134d692c312 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Fri, 6 Aug 2021 16:51:05 +0200
+Subject: [PATCH 24/39] Switch manual DH key generation to param API
+
+Instead of using the deprecated low-level interface.
+
+This should also avoid issues with fetching parameters from
+legacy keys, cf. https://github.com/openssl/openssl/issues/16247.
+
+(cherry picked from commit a7740a0bf00704372353ea4360c3e6b58102a6f7)
+---
+ ext/openssl/openssl.c | 136 ++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 112 insertions(+), 24 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index b360b0506e..06e5adecda 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -56,6 +56,10 @@
+ #include <openssl/ssl.h>
+ #include <openssl/pkcs12.h>
+ #include <openssl/cms.h>
++#if PHP_OPENSSL_API_VERSION >= 0x30000
++#include <openssl/core_names.h>
++#include <openssl/param_build.h>
++#endif
+
+ /* Common */
+ #include <time.h>
+@@ -3919,8 +3923,8 @@ static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM
+ }
+ /* }}} */
+
+-/* {{{ php_openssl_pkey_init_dh */
+-static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data, bool *is_private)
++#if PHP_OPENSSL_API_VERSION < 0x30000
++static zend_bool php_openssl_pkey_init_legacy_dh(DH *dh, zval *data, bool *is_private)
+ {
+ BIGNUM *p, *q, *g, *priv_key, *pub_key;
+
+@@ -3952,9 +3956,108 @@ static zend_bool php_openssl_pkey_init_dh(DH *dh, zval *data, bool *is_private)
+ return 0;
+ }
+ /* all good */
++ *is_private = true;
+ return 1;
+ }
+-/* }}} */
++#endif
++
++static EVP_PKEY *php_openssl_pkey_init_dh(zval *data, bool *is_private)
++{
++#if PHP_OPENSSL_API_VERSION >= 0x30000
++ BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv_key = NULL, *pub_key = NULL;
++ EVP_PKEY *param_key = NULL, *pkey = NULL;
++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
++ OSSL_PARAM *params = NULL;
++ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
++
++ OPENSSL_PKEY_SET_BN(data, p);
++ OPENSSL_PKEY_SET_BN(data, q);
++ OPENSSL_PKEY_SET_BN(data, g);
++ OPENSSL_PKEY_SET_BN(data, priv_key);
++ OPENSSL_PKEY_SET_BN(data, pub_key);
++
++ if (!ctx || !bld || !p || !g) {
++ goto cleanup;
++ }
++
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p);
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g);
++ if (q) {
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q);
++ }
++ if (priv_key) {
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key);
++ if (!pub_key) {
++ pub_key = php_openssl_dh_pub_from_priv(priv_key, g, p);
++ if (!pub_key) {
++ goto cleanup;
++ }
++ }
++ }
++ if (pub_key) {
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key);
++ }
++
++ params = OSSL_PARAM_BLD_to_param(bld);
++ if (!params) {
++ goto cleanup;
++ }
++
++ if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
++ EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) {
++ goto cleanup;
++ }
++
++ if (pub_key || priv_key) {
++ *is_private = priv_key != NULL;
++ EVP_PKEY_up_ref(param_key);
++ pkey = param_key;
++ } else {
++ *is_private = true;
++ PHP_OPENSSL_RAND_ADD_TIME();
++ EVP_PKEY_CTX_free(ctx);
++ ctx = EVP_PKEY_CTX_new(param_key, NULL);
++ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) {
++ goto cleanup;
++ }
++ }
++
++cleanup:
++ php_openssl_store_errors();
++ EVP_PKEY_free(param_key);
++ EVP_PKEY_CTX_free(ctx);
++ OSSL_PARAM_free(params);
++ OSSL_PARAM_BLD_free(bld);
++ BN_free(p);
++ BN_free(q);
++ BN_free(g);
++ BN_free(priv_key);
++ BN_free(pub_key);
++ return pkey;
++#else
++ EVP_PKEY *pkey = EVP_PKEY_new();
++ if (!pkey) {
++ php_openssl_store_errors();
++ return NULL;
++ }
++
++ DH *dh = DH_new();
++ if (!dh) {
++ EVP_PKEY_free(pkey);
++ return NULL;
++ }
++
++ if (!php_openssl_pkey_init_legacy_dh(dh, data, is_private)
++ || !EVP_PKEY_assign_DH(pkey, dh)) {
++ php_openssl_store_errors();
++ EVP_PKEY_free(pkey);
++ DH_free(dh);
++ return NULL;
++ }
++
++ return pkey;
++#endif
++}
+
+ /* {{{ Generates a new private key */
+ PHP_FUNCTION(openssl_pkey_new)
+@@ -4016,28 +4119,13 @@ PHP_FUNCTION(openssl_pkey_new)
+ RETURN_FALSE;
+ } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dh", sizeof("dh") - 1)) != NULL &&
+ Z_TYPE_P(data) == IS_ARRAY) {
+- pkey = EVP_PKEY_new();
+- if (pkey) {
+- DH *dh = DH_new();
+- if (dh) {
+- bool is_private;
+- if (php_openssl_pkey_init_dh(dh, data, &is_private)) {
+- if (EVP_PKEY_assign_DH(pkey, dh)) {
+- php_openssl_pkey_object_init(return_value, pkey, is_private);
+- return;
+- } else {
+- php_openssl_store_errors();
+- }
+- }
+- DH_free(dh);
+- } else {
+- php_openssl_store_errors();
+- }
+- EVP_PKEY_free(pkey);
+- } else {
+- php_openssl_store_errors();
++ bool is_private;
++ pkey = php_openssl_pkey_init_dh(data, &is_private);
++ if (!pkey) {
++ RETURN_FALSE;
+ }
+- RETURN_FALSE;
++ php_openssl_pkey_object_init(return_value, pkey, is_private);
++ return;
+ #ifdef HAVE_EVP_PKEY_EC
+ } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "ec", sizeof("ec") - 1)) != NULL &&
+ Z_TYPE_P(data) == IS_ARRAY) {
+--
+2.31.1
+
+From 0b1f12e24360dad5c6feba319af7e12e2cf72fc1 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Fri, 6 Aug 2021 17:14:58 +0200
+Subject: [PATCH 25/39] Switch manual DSA key generation to param API
+
+This is very similar to the DH case, with the primary difference
+that priv_key is ignored if pub_key is not given, rather than
+generating pub_key from priv_key. Would be nice if these worked
+the same (in which case we should probably also unify the keygen
+for FFC algorithms, as it's very similar).
+
+(cherry picked from commit 2bf316fdfc0cfc4b6a5e27c9a13274d01b4b298f)
+---
+ ext/openssl/openssl.c | 126 ++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 102 insertions(+), 24 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 06e5adecda..84a4083807 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -3844,8 +3844,8 @@ static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa,
+ return 1;
+ }
+
+-/* {{{ php_openssl_pkey_init_dsa */
+-static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data, bool *is_private)
++#if PHP_OPENSSL_API_VERSION < 0x30000
++static zend_bool php_openssl_pkey_init_legacy_dsa(DSA *dsa, zval *data, bool *is_private)
+ {
+ BIGNUM *p, *q, *g, *priv_key, *pub_key;
+ const BIGNUM *priv_key_const, *pub_key_const;
+@@ -3878,9 +3878,102 @@ static zend_bool php_openssl_pkey_init_dsa(DSA *dsa, zval *data, bool *is_privat
+ return 0;
+ }
+ /* all good */
++ *is_private = true;
+ return 1;
+ }
+-/* }}} */
++#endif
++
++static EVP_PKEY *php_openssl_pkey_init_dsa(zval *data, bool *is_private)
++{
++#if PHP_OPENSSL_API_VERSION >= 0x30000
++ BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv_key = NULL, *pub_key = NULL;
++ EVP_PKEY *param_key = NULL, *pkey = NULL;
++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, NULL);
++ OSSL_PARAM *params = NULL;
++ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
++
++ OPENSSL_PKEY_SET_BN(data, p);
++ OPENSSL_PKEY_SET_BN(data, q);
++ OPENSSL_PKEY_SET_BN(data, g);
++ OPENSSL_PKEY_SET_BN(data, priv_key);
++ OPENSSL_PKEY_SET_BN(data, pub_key);
++
++ if (!ctx || !bld || !p || !q || !g) {
++ goto cleanup;
++ }
++
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p);
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q);
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g);
++ // TODO: We silently ignore priv_key if pub_key is not given, unlike in the DH case.
++ if (pub_key) {
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key);
++ if (priv_key) {
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key);
++ }
++ }
++
++ params = OSSL_PARAM_BLD_to_param(bld);
++ if (!params) {
++ goto cleanup;
++ }
++
++ if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
++ EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) {
++ goto cleanup;
++ }
++
++ if (pub_key) {
++ *is_private = priv_key != NULL;
++ EVP_PKEY_up_ref(param_key);
++ pkey = param_key;
++ } else {
++ *is_private = true;
++ PHP_OPENSSL_RAND_ADD_TIME();
++ EVP_PKEY_CTX_free(ctx);
++ ctx = EVP_PKEY_CTX_new(param_key, NULL);
++ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) {
++ goto cleanup;
++ }
++ }
++
++cleanup:
++ php_openssl_store_errors();
++ EVP_PKEY_free(param_key);
++ EVP_PKEY_CTX_free(ctx);
++ OSSL_PARAM_free(params);
++ OSSL_PARAM_BLD_free(bld);
++ BN_free(p);
++ BN_free(q);
++ BN_free(g);
++ BN_free(priv_key);
++ BN_free(pub_key);
++ return pkey;
++#else
++ EVP_PKEY *pkey = EVP_PKEY_new();
++ if (!pkey) {
++ php_openssl_store_errors();
++ return NULL;
++ }
++
++ DSA *dsa = DSA_new();
++ if (!dsa) {
++ php_openssl_store_errors();
++ EVP_PKEY_free(pkey);
++ return NULL;
++ }
++
++ if (!php_openssl_pkey_init_legacy_dsa(dsa, data, is_private)
++ || !EVP_PKEY_assign_DSA(pkey, dsa)) {
++ php_openssl_store_errors();
++ EVP_PKEY_free(pkey);
++ DSA_free(dsa);
++ return NULL;
++ }
++
++ return pkey;
++#endif
++}
+
+ /* {{{ php_openssl_dh_pub_from_priv */
+ static BIGNUM *php_openssl_dh_pub_from_priv(BIGNUM *priv_key, BIGNUM *g, BIGNUM *p)
+@@ -4095,28 +4188,13 @@ PHP_FUNCTION(openssl_pkey_new)
+ RETURN_FALSE;
+ } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dsa", sizeof("dsa") - 1)) != NULL &&
+ Z_TYPE_P(data) == IS_ARRAY) {
+- pkey = EVP_PKEY_new();
+- if (pkey) {
+- DSA *dsa = DSA_new();
+- if (dsa) {
+- bool is_private;
+- if (php_openssl_pkey_init_dsa(dsa, data, &is_private)) {
+- if (EVP_PKEY_assign_DSA(pkey, dsa)) {
+- php_openssl_pkey_object_init(return_value, pkey, is_private);
+- return;
+- } else {
+- php_openssl_store_errors();
+- }
+- }
+- DSA_free(dsa);
+- } else {
+- php_openssl_store_errors();
+- }
+- EVP_PKEY_free(pkey);
+- } else {
+- php_openssl_store_errors();
++ bool is_private;
++ pkey = php_openssl_pkey_init_dsa(data, &is_private);
++ if (!pkey) {
++ RETURN_FALSE;
+ }
+- RETURN_FALSE;
++ php_openssl_pkey_object_init(return_value, pkey, is_private);
++ return;
+ } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dh", sizeof("dh") - 1)) != NULL &&
+ Z_TYPE_P(data) == IS_ARRAY) {
+ bool is_private;
+--
+2.31.1
+
+From d20cf6a278be5561debcd5ce0cc34a6046eac669 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Sun, 8 Aug 2021 17:39:06 +0200
+Subject: [PATCH 26/39] Use OpenSSL NCONF APIs (#7337)
+
+(cherry picked from commit 94bc5fce261a4a56a545bdfb25d5c2452a07de08)
+---
+ ext/openssl/openssl.c | 66 +++++++++++++++++++++++--------------------
+ 1 file changed, 36 insertions(+), 30 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 84a4083807..1dda83f71e 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -500,8 +500,8 @@ int php_openssl_get_ssl_stream_data_index()
+ static char default_ssl_conf_filename[MAXPATHLEN];
+
+ struct php_x509_request { /* {{{ */
+- LHASH_OF(CONF_VALUE) * global_config; /* Global SSL config */
+- LHASH_OF(CONF_VALUE) * req_config; /* SSL config for this request */
++ CONF *global_config; /* Global SSL config */
++ CONF *req_config; /* SSL config for this request */
+ const EVP_MD * md_alg;
+ const EVP_MD * digest;
+ char * section_name,
+@@ -712,13 +712,13 @@ static time_t php_openssl_asn1_time_to_time_t(ASN1_UTCTIME * timestr) /* {{{ */
+ }
+ /* }}} */
+
+-static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, LHASH_OF(CONF_VALUE) * config) /* {{{ */
++static inline int php_openssl_config_check_syntax(const char * section_label, const char * config_filename, const char * section, CONF *config) /* {{{ */
+ {
+ X509V3_CTX ctx;
+
+ X509V3_set_ctx_test(&ctx);
+- X509V3_set_conf_lhash(&ctx, config);
+- if (!X509V3_EXT_add_conf(config, &ctx, (char *)section, NULL)) {
++ X509V3_set_nconf(&ctx, config);
++ if (!X509V3_EXT_add_nconf(config, &ctx, (char *)section, NULL)) {
+ php_openssl_store_errors();
+ php_error_docref(NULL, E_WARNING, "Error loading %s section %s of %s",
+ section_label,
+@@ -730,17 +730,24 @@ static inline int php_openssl_config_check_syntax(const char * section_label, co
+ }
+ /* }}} */
+
+-static char *php_openssl_conf_get_string(
+- LHASH_OF(CONF_VALUE) *conf, const char *group, const char *name) {
+- char *str = CONF_get_string(conf, group, name);
+- if (str == NULL) {
+- /* OpenSSL reports an error if a configuration value is not found.
+- * However, we don't want to generate errors for optional configuration. */
+- ERR_clear_error();
+- }
++static char *php_openssl_conf_get_string(CONF *conf, const char *group, const char *name) {
++ /* OpenSSL reports an error if a configuration value is not found.
++ * However, we don't want to generate errors for optional configuration. */
++ ERR_set_mark();
++ char *str = NCONF_get_string(conf, group, name);
++ ERR_pop_to_mark();
+ return str;
+ }
+
++static long php_openssl_conf_get_number(CONF *conf, const char *group, const char *name) {
++ /* Same here, ignore errors. */
++ long res = 0;
++ ERR_set_mark();
++ NCONF_get_number(conf, group, name, &res);
++ ERR_pop_to_mark();
++ return res;
++}
++
+ static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */
+ {
+ char * str;
+@@ -752,7 +759,7 @@ static int php_openssl_add_oid_section(struct php_x509_request * req) /* {{{ */
+ if (str == NULL) {
+ return SUCCESS;
+ }
+- sktmp = CONF_get_section(req->req_config, str);
++ sktmp = NCONF_get_section(req->req_config, str);
+ if (sktmp == NULL) {
+ php_openssl_store_errors();
+ php_error_docref(NULL, E_WARNING, "Problem loading oid section %s", str);
+@@ -823,13 +830,13 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option
+
+ SET_OPTIONAL_STRING_ARG("config", req->config_filename, default_ssl_conf_filename);
+ SET_OPTIONAL_STRING_ARG("config_section_name", req->section_name, "req");
+- req->global_config = CONF_load(NULL, default_ssl_conf_filename, NULL);
+- if (req->global_config == NULL) {
++ req->global_config = NCONF_new(NULL);
++ if (!NCONF_load(req->global_config, default_ssl_conf_filename, NULL)) {
+ php_openssl_store_errors();
+ }
+- req->req_config = CONF_load(NULL, req->config_filename, NULL);
+- if (req->req_config == NULL) {
+- php_openssl_store_errors();
++
++ req->req_config = NCONF_new(NULL);
++ if (!NCONF_load(req->req_config, req->config_filename, NULL)) {
+ return FAILURE;
+ }
+
+@@ -853,8 +860,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option
+ SET_OPTIONAL_STRING_ARG("req_extensions", req->request_extensions_section,
+ php_openssl_conf_get_string(req->req_config, req->section_name, "req_extensions"));
+ SET_OPTIONAL_LONG_ARG("private_key_bits", req->priv_key_bits,
+- CONF_get_number(req->req_config, req->section_name, "default_bits"));
+-
++ php_openssl_conf_get_number(req->req_config, req->section_name, "default_bits"));
+ SET_OPTIONAL_LONG_ARG("private_key_type", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT);
+
+ if (optional_args && (item = zend_hash_str_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key")-1)) != NULL) {
+@@ -934,11 +940,11 @@ static void php_openssl_dispose_config(struct php_x509_request * req) /* {{{ */
+ req->priv_key = NULL;
+ }
+ if (req->global_config) {
+- CONF_free(req->global_config);
++ NCONF_free(req->global_config);
+ req->global_config = NULL;
+ }
+ if (req->req_config) {
+- CONF_free(req->req_config);
++ NCONF_free(req->req_config);
+ req->req_config = NULL;
+ }
+ }
+@@ -2844,12 +2850,12 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z
+ STACK_OF(CONF_VALUE) * dn_sk, *attr_sk = NULL;
+ char * str, *dn_sect, *attr_sect;
+
+- dn_sect = CONF_get_string(req->req_config, req->section_name, "distinguished_name");
++ dn_sect = NCONF_get_string(req->req_config, req->section_name, "distinguished_name");
+ if (dn_sect == NULL) {
+ php_openssl_store_errors();
+ return FAILURE;
+ }
+- dn_sk = CONF_get_section(req->req_config, dn_sect);
++ dn_sk = NCONF_get_section(req->req_config, dn_sect);
+ if (dn_sk == NULL) {
+ php_openssl_store_errors();
+ return FAILURE;
+@@ -2858,7 +2864,7 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z
+ if (attr_sect == NULL) {
+ attr_sk = NULL;
+ } else {
+- attr_sk = CONF_get_section(req->req_config, attr_sect);
++ attr_sk = NCONF_get_section(req->req_config, attr_sect);
+ if (attr_sk == NULL) {
+ php_openssl_store_errors();
+ return FAILURE;
+@@ -3275,8 +3281,8 @@ PHP_FUNCTION(openssl_csr_sign)
+ X509V3_CTX ctx;
+
+ X509V3_set_ctx(&ctx, cert, new_cert, csr, NULL, 0);
+- X509V3_set_conf_lhash(&ctx, req.req_config);
+- if (!X509V3_EXT_add_conf(req.req_config, &ctx, req.extensions_section, new_cert)) {
++ X509V3_set_nconf(&ctx, req.req_config);
++ if (!X509V3_EXT_add_nconf(req.req_config, &ctx, req.extensions_section, new_cert)) {
+ php_openssl_store_errors();
+ goto cleanup;
+ }
+@@ -3349,10 +3355,10 @@ PHP_FUNCTION(openssl_csr_new)
+ X509V3_CTX ext_ctx;
+
+ X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, 0);
+- X509V3_set_conf_lhash(&ext_ctx, req.req_config);
++ X509V3_set_nconf(&ext_ctx, req.req_config);
+
+ /* Add extensions */
+- if (req.request_extensions_section && !X509V3_EXT_REQ_add_conf(req.req_config,
++ if (req.request_extensions_section && !X509V3_EXT_REQ_add_nconf(req.req_config,
+ &ext_ctx, req.request_extensions_section, csr))
+ {
+ php_openssl_store_errors();
+--
+2.31.1
+
+From 575c8ddf73c4a343139be225596c5101497e3186 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Sun, 8 Aug 2021 20:54:46 +0100
+Subject: [PATCH 27/39] Make CertificateGenerator not dependent on external
+ config in OpenSSL 3.0
+
+(cherry picked from commit c90c9c7545427d9d35cbac45c4ec896f54619744)
+---
+ ext/openssl/tests/CertificateGenerator.inc | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/ext/openssl/tests/CertificateGenerator.inc b/ext/openssl/tests/CertificateGenerator.inc
+index 1dc378e706..4783353a47 100644
+--- a/ext/openssl/tests/CertificateGenerator.inc
++++ b/ext/openssl/tests/CertificateGenerator.inc
+@@ -65,7 +65,10 @@ class CertificateGenerator
+ ),
+ null,
+ $this->caKey,
+- 2
++ 2,
++ [
++ 'config' => self::CONFIG,
++ ]
+ );
+ }
+
+@@ -101,6 +104,7 @@ class CertificateGenerator
+ [ req ]
+ distinguished_name = req_distinguished_name
+ default_md = sha256
++default_bits = 1024
+
+ [ req_distinguished_name ]
+
+@@ -124,8 +128,9 @@ CONFIG;
+ ];
+
+ $this->lastKey = self::generateKey($keyLength);
++ $csr = openssl_csr_new($dn, $this->lastKey, $config);
+ $this->lastCert = openssl_csr_sign(
+- openssl_csr_new($dn, $this->lastKey, $config),
++ $csr,
+ $this->ca,
+ $this->caKey,
+ /* days */ 2,
+@@ -139,7 +144,7 @@ CONFIG;
+ openssl_x509_export($this->lastCert, $certText);
+
+ $keyText = '';
+- openssl_pkey_export($this->lastKey, $keyText);
++ openssl_pkey_export($this->lastKey, $keyText, null, $config);
+
+ file_put_contents($file, $certText . PHP_EOL . $keyText);
+ } finally {
+--
+2.31.1
+
+From 4da1bade85b14bd1f0aa9cf9f463931de54de2ef Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Mon, 9 Aug 2021 10:26:12 +0200
+Subject: [PATCH 28/39] Extract EC key initialization
+
+(cherry picked from commit 14d7c7e9aee5ab55a92ddc626b7b81c130ea7618)
+---
+ ext/openssl/openssl.c | 239 ++++++++++++++++++++++--------------------
+ 1 file changed, 126 insertions(+), 113 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 1dda83f71e..a595101cf6 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -4158,6 +4158,126 @@ cleanup:
+ #endif
+ }
+
++#ifdef HAVE_EVP_PKEY_EC
++static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_private) {
++ EC_GROUP *group = NULL;
++ EC_POINT *pnt = NULL;
++ BIGNUM *d = NULL;
++ zval *bn;
++ zval *x;
++ zval *y;
++
++ if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1)) != NULL &&
++ Z_TYPE_P(bn) == IS_STRING) {
++ int nid = OBJ_sn2nid(Z_STRVAL_P(bn));
++ if (nid != NID_undef) {
++ group = EC_GROUP_new_by_curve_name(nid);
++ if (!group) {
++ php_openssl_store_errors();
++ goto clean_exit;
++ }
++ EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
++ EC_GROUP_set_point_conversion_form(group, POINT_CONVERSION_UNCOMPRESSED);
++ if (!EC_KEY_set_group(eckey, group)) {
++ php_openssl_store_errors();
++ goto clean_exit;
++ }
++ }
++ }
++
++ if (group == NULL) {
++ php_error_docref(NULL, E_WARNING, "Unknown curve name");
++ goto clean_exit;
++ }
++
++ // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y'
++ *is_private = false;
++ if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL &&
++ Z_TYPE_P(bn) == IS_STRING) {
++ *is_private = true;
++ d = BN_bin2bn((unsigned char*) Z_STRVAL_P(bn), Z_STRLEN_P(bn), NULL);
++ if (!EC_KEY_set_private_key(eckey, d)) {
++ php_openssl_store_errors();
++ goto clean_exit;
++ }
++ // Calculate the public key by multiplying the Point Q with the public key
++ // P = d * Q
++ pnt = EC_POINT_new(group);
++ if (!pnt || !EC_POINT_mul(group, pnt, d, NULL, NULL, NULL)) {
++ php_openssl_store_errors();
++ goto clean_exit;
++ }
++
++ BN_free(d);
++ } else if ((x = zend_hash_str_find(Z_ARRVAL_P(data), "x", sizeof("x") - 1)) != NULL &&
++ Z_TYPE_P(x) == IS_STRING &&
++ (y = zend_hash_str_find(Z_ARRVAL_P(data), "y", sizeof("y") - 1)) != NULL &&
++ Z_TYPE_P(y) == IS_STRING) {
++ pnt = EC_POINT_new(group);
++ if (pnt == NULL) {
++ php_openssl_store_errors();
++ goto clean_exit;
++ }
++ if (!EC_POINT_set_affine_coordinates_GFp(
++ group, pnt, BN_bin2bn((unsigned char*) Z_STRVAL_P(x), Z_STRLEN_P(x), NULL),
++ BN_bin2bn((unsigned char*) Z_STRVAL_P(y), Z_STRLEN_P(y), NULL), NULL)) {
++ php_openssl_store_errors();
++ goto clean_exit;
++ }
++ }
++
++ if (pnt != NULL) {
++ if (!EC_KEY_set_public_key(eckey, pnt)) {
++ php_openssl_store_errors();
++ goto clean_exit;
++ }
++ EC_POINT_free(pnt);
++ pnt = NULL;
++ }
++
++ if (!EC_KEY_check_key(eckey)) {
++ PHP_OPENSSL_RAND_ADD_TIME();
++ EC_KEY_generate_key(eckey);
++ php_openssl_store_errors();
++ }
++ if (EC_KEY_check_key(eckey)) {
++ return true;
++ } else {
++ php_openssl_store_errors();
++ }
++
++clean_exit:
++ BN_free(d);
++ EC_POINT_free(pnt);
++ EC_GROUP_free(group);
++ return false;
++}
++
++static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) {
++ EVP_PKEY *pkey = EVP_PKEY_new();
++ if (!pkey) {
++ php_openssl_store_errors();
++ return NULL;
++ }
++
++ EC_KEY *ec = EC_KEY_new();
++ if (!ec) {
++ EVP_PKEY_free(pkey);
++ return NULL;
++ }
++
++ if (!php_openssl_pkey_init_legacy_ec(ec, data, is_private)
++ || !EVP_PKEY_assign_EC_KEY(pkey, ec)) {
++ php_openssl_store_errors();
++ EVP_PKEY_free(pkey);
++ EC_KEY_free(ec);
++ return NULL;
++ }
++
++ return pkey;
++}
++#endif
++
+ /* {{{ Generates a new private key */
+ PHP_FUNCTION(openssl_pkey_new)
+ {
+@@ -4213,120 +4333,13 @@ PHP_FUNCTION(openssl_pkey_new)
+ #ifdef HAVE_EVP_PKEY_EC
+ } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "ec", sizeof("ec") - 1)) != NULL &&
+ Z_TYPE_P(data) == IS_ARRAY) {
+- EC_KEY *eckey = NULL;
+- EC_GROUP *group = NULL;
+- EC_POINT *pnt = NULL;
+- BIGNUM *d = NULL;
+- pkey = EVP_PKEY_new();
+- if (pkey) {
+- eckey = EC_KEY_new();
+- if (eckey) {
+- bool is_private = false;
+- EC_GROUP *group = NULL;
+- zval *bn;
+- zval *x;
+- zval *y;
+-
+- if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1)) != NULL &&
+- Z_TYPE_P(bn) == IS_STRING) {
+- int nid = OBJ_sn2nid(Z_STRVAL_P(bn));
+- if (nid != NID_undef) {
+- group = EC_GROUP_new_by_curve_name(nid);
+- if (!group) {
+- php_openssl_store_errors();
+- goto clean_exit;
+- }
+- EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
+- EC_GROUP_set_point_conversion_form(group, POINT_CONVERSION_UNCOMPRESSED);
+- if (!EC_KEY_set_group(eckey, group)) {
+- php_openssl_store_errors();
+- goto clean_exit;
+- }
+- }
+- }
+-
+- if (group == NULL) {
+- php_error_docref(NULL, E_WARNING, "Unknown curve name");
+- goto clean_exit;
+- }
+-
+- // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y'
+- if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL &&
+- Z_TYPE_P(bn) == IS_STRING) {
+- is_private = true;
+- d = BN_bin2bn((unsigned char*) Z_STRVAL_P(bn), Z_STRLEN_P(bn), NULL);
+- if (!EC_KEY_set_private_key(eckey, d)) {
+- php_openssl_store_errors();
+- goto clean_exit;
+- }
+- // Calculate the public key by multiplying the Point Q with the public key
+- // P = d * Q
+- pnt = EC_POINT_new(group);
+- if (!pnt || !EC_POINT_mul(group, pnt, d, NULL, NULL, NULL)) {
+- php_openssl_store_errors();
+- goto clean_exit;
+- }
+-
+- BN_free(d);
+- } else if ((x = zend_hash_str_find(Z_ARRVAL_P(data), "x", sizeof("x") - 1)) != NULL &&
+- Z_TYPE_P(x) == IS_STRING &&
+- (y = zend_hash_str_find(Z_ARRVAL_P(data), "y", sizeof("y") - 1)) != NULL &&
+- Z_TYPE_P(y) == IS_STRING) {
+- pnt = EC_POINT_new(group);
+- if (pnt == NULL) {
+- php_openssl_store_errors();
+- goto clean_exit;
+- }
+- if (!EC_POINT_set_affine_coordinates_GFp(
+- group, pnt, BN_bin2bn((unsigned char*) Z_STRVAL_P(x), Z_STRLEN_P(x), NULL),
+- BN_bin2bn((unsigned char*) Z_STRVAL_P(y), Z_STRLEN_P(y), NULL), NULL)) {
+- php_openssl_store_errors();
+- goto clean_exit;
+- }
+- }
+-
+- if (pnt != NULL) {
+- if (!EC_KEY_set_public_key(eckey, pnt)) {
+- php_openssl_store_errors();
+- goto clean_exit;
+- }
+- EC_POINT_free(pnt);
+- pnt = NULL;
+- }
+-
+- if (!EC_KEY_check_key(eckey)) {
+- PHP_OPENSSL_RAND_ADD_TIME();
+- EC_KEY_generate_key(eckey);
+- php_openssl_store_errors();
+- }
+- if (EC_KEY_check_key(eckey) && EVP_PKEY_assign_EC_KEY(pkey, eckey)) {
+- EC_GROUP_free(group);
+- php_openssl_pkey_object_init(return_value, pkey, is_private);
+- return;
+- } else {
+- php_openssl_store_errors();
+- }
+- } else {
+- php_openssl_store_errors();
+- }
+- } else {
+- php_openssl_store_errors();
+- }
+-clean_exit:
+- if (d != NULL) {
+- BN_free(d);
+- }
+- if (pnt != NULL) {
+- EC_POINT_free(pnt);
+- }
+- if (group != NULL) {
+- EC_GROUP_free(group);
+- }
+- if (eckey != NULL) {
+- EC_KEY_free(eckey);
++ bool is_private;
++ pkey = php_openssl_pkey_init_ec(data, &is_private);
++ if (!pkey) {
++ RETURN_FALSE;
+ }
+- EVP_PKEY_free(pkey);
+- RETURN_FALSE;
++ php_openssl_pkey_object_init(return_value, pkey, is_private);
++ return;
+ #endif
+ }
+ }
+--
+2.31.1
+
+From 0b12c49898ef390ce53e33490a842fd384de6902 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Mon, 9 Aug 2021 12:01:35 +0200
+Subject: [PATCH 29/39] Test calculation of EC public key from private key
+
+(cherry picked from commit 246698671f941b2034518ab04f35009b2da77bb1)
+---
+ ext/openssl/tests/ecc.phpt | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/ext/openssl/tests/ecc.phpt b/ext/openssl/tests/ecc.phpt
+index 0a71393ae3..0b05410c2c 100644
+--- a/ext/openssl/tests/ecc.phpt
++++ b/ext/openssl/tests/ecc.phpt
+@@ -33,6 +33,16 @@ $d2 = openssl_pkey_get_details($key2);
+ // Compare array
+ var_dump($d1 === $d2);
+
++// Check that the public key info is computed from the private key if it is missing.
++$d1_priv = $d1;
++unset($d1_priv["ec"]["x"]);
++unset($d1_priv["ec"]["y"]);
++
++$key3 = openssl_pkey_new($d1_priv);
++var_dump($key3);
++$d3 = openssl_pkey_get_details($key3);
++var_dump($d1 === $d3);
++
+ $dn = array(
+ "countryName" => "BR",
+ "stateOrProvinceName" => "Rio Grande do Sul",
+@@ -93,6 +103,9 @@ bool(true)
+ object(OpenSSLAsymmetricKey)#%d (0) {
+ }
+ bool(true)
++object(OpenSSLAsymmetricKey)#%d (0) {
++}
++bool(true)
+ Testing openssl_csr_new with key generation
+ NULL
+ object(OpenSSLAsymmetricKey)#%d (0) {
+--
+2.31.1
+
+From 6b6b7c28dc81e106f6a1ef96d1f4bc43901764cf Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Mon, 9 Aug 2021 11:12:20 +0200
+Subject: [PATCH 30/39] Use param API for creating EC keys
+
+Rather than the deprecated low level APIs.
+
+(cherry picked from commit f9e701cde813fad4e1f647e63750c0b9bdeadb4e)
+---
+ ext/openssl/openssl.c | 96 +++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 96 insertions(+)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index a595101cf6..df057caa8b 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -4159,6 +4159,7 @@ cleanup:
+ }
+
+ #ifdef HAVE_EVP_PKEY_EC
++#if PHP_OPENSSL_API_VERSION < 0x30000
+ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_private) {
+ EC_GROUP *group = NULL;
+ EC_POINT *pnt = NULL;
+@@ -4236,6 +4237,7 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_
+ }
+
+ if (!EC_KEY_check_key(eckey)) {
++ *is_private = true;
+ PHP_OPENSSL_RAND_ADD_TIME();
+ EC_KEY_generate_key(eckey);
+ php_openssl_store_errors();
+@@ -4252,8 +4254,101 @@ clean_exit:
+ EC_GROUP_free(group);
+ return false;
+ }
++#endif
+
+ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) {
++#if PHP_OPENSSL_API_VERSION >= 0x30000
++ BIGNUM *d = NULL, *x = NULL, *y = NULL;
++ EC_GROUP *group = NULL;
++ EC_POINT *pnt = NULL;
++ char *pnt_oct = NULL;
++ EVP_PKEY *param_key = NULL, *pkey = NULL;
++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
++ OSSL_PARAM *params = NULL;
++ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
++ zval *curve_name_zv = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1);
++
++ OPENSSL_PKEY_SET_BN(data, d);
++ OPENSSL_PKEY_SET_BN(data, x);
++ OPENSSL_PKEY_SET_BN(data, y);
++
++ if (!ctx || !bld || !curve_name_zv || Z_TYPE_P(curve_name_zv) != IS_STRING) {
++ goto cleanup;
++ }
++
++ int nid = OBJ_sn2nid(Z_STRVAL_P(curve_name_zv));
++ group = EC_GROUP_new_by_curve_name(nid);
++ if (!group) {
++ php_error_docref(NULL, E_WARNING, "Unknown curve name");
++ goto cleanup;
++ }
++
++ OSSL_PARAM_BLD_push_utf8_string(
++ bld, OSSL_PKEY_PARAM_GROUP_NAME, Z_STRVAL_P(curve_name_zv), Z_STRLEN_P(curve_name_zv));
++
++ if (d) {
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, d);
++
++ pnt = EC_POINT_new(group);
++ if (!pnt || !EC_POINT_mul(group, pnt, d, NULL, NULL, NULL)) {
++ goto cleanup;
++ }
++ } else if (x && y) {
++ /* OpenSSL does not allow setting EC_PUB_X/EC_PUB_Y, so convert to encoded format. */
++ pnt = EC_POINT_new(group);
++ if (!pnt || !EC_POINT_set_affine_coordinates(group, pnt, x, y, NULL)) {
++ goto cleanup;
++ }
++ }
++
++ if (pnt) {
++ size_t pnt_oct_len =
++ EC_POINT_point2buf(group, pnt, POINT_CONVERSION_COMPRESSED, &pnt_oct, NULL);
++ if (!pnt_oct_len) {
++ goto cleanup;
++ }
++
++ OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, pnt_oct, pnt_oct_len);
++ }
++
++ params = OSSL_PARAM_BLD_to_param(bld);
++ if (!params) {
++ goto cleanup;
++ }
++
++ if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
++ EVP_PKEY_fromdata(ctx, ¶m_key, EVP_PKEY_KEYPAIR, params) <= 0) {
++ goto cleanup;
++ }
++
++ EVP_PKEY_CTX_free(ctx);
++ ctx = EVP_PKEY_CTX_new(param_key, NULL);
++ if (EVP_PKEY_check(ctx)) {
++ *is_private = d != NULL;
++ EVP_PKEY_up_ref(param_key);
++ pkey = param_key;
++ } else {
++ *is_private = true;
++ PHP_OPENSSL_RAND_ADD_TIME();
++ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen(ctx, &pkey) <= 0) {
++ goto cleanup;
++ }
++ }
++
++cleanup:
++ php_openssl_store_errors();
++ EVP_PKEY_free(param_key);
++ EVP_PKEY_CTX_free(ctx);
++ OSSL_PARAM_free(params);
++ OSSL_PARAM_BLD_free(bld);
++ EC_POINT_free(pnt);
++ EC_GROUP_free(group);
++ OPENSSL_free(pnt_oct);
++ BN_free(d);
++ BN_free(x);
++ BN_free(y);
++ return pkey;
++#else
+ EVP_PKEY *pkey = EVP_PKEY_new();
+ if (!pkey) {
+ php_openssl_store_errors();
+@@ -4275,6 +4370,7 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) {
+ }
+
+ return pkey;
++#endif
+ }
+ #endif
+
+--
+2.31.1
+
+From ab4d43be04953eb75b37d532ac5fe42f0464f1be Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Mon, 9 Aug 2021 14:19:33 +0200
+Subject: [PATCH 31/39] Extract public key portion via PEM roundtrip
+
+The workaround with cloning the X509_REQ no longer works in
+OpenSSL 3. Instead extract the public key portion by round
+tripping through PEM.
+
+(cherry picked from commit 26a51e8d7a6026f6bd69813d044785d154a296a3)
+---
+ ext/openssl/openssl.c | 43 +++++++++++++++++++------------------------
+ 1 file changed, 19 insertions(+), 24 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index df057caa8b..e86e99c73f 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -3430,49 +3430,44 @@ PHP_FUNCTION(openssl_csr_get_subject)
+ }
+ /* }}} */
+
++static EVP_PKEY *php_openssl_extract_public_key(EVP_PKEY *priv_key)
++{
++ /* Extract public key portion by round-tripping through PEM. */
++ BIO *bio = BIO_new(BIO_s_mem());
++ if (!bio || !PEM_write_bio_PUBKEY(bio, priv_key)) {
++ BIO_free(bio);
++ return NULL;
++ }
++
++ EVP_PKEY *pub_key = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL);
++ BIO_free(bio);
++ return pub_key;
++}
++
+ /* {{{ Returns the subject of a CERT or FALSE on error */
+ PHP_FUNCTION(openssl_csr_get_public_key)
+ {
+- X509_REQ *orig_csr, *csr;
+ zend_object *csr_obj;
+ zend_string *csr_str;
+ zend_bool use_shortnames = 1;
+
+- EVP_PKEY *tpubkey;
+-
+ ZEND_PARSE_PARAMETERS_START(1, 2)
+ Z_PARAM_OBJ_OF_CLASS_OR_STR(csr_obj, php_openssl_request_ce, csr_str)
+ Z_PARAM_OPTIONAL
+ Z_PARAM_BOOL(use_shortnames)
+ ZEND_PARSE_PARAMETERS_END();
+
+- orig_csr = php_openssl_csr_from_param(csr_obj, csr_str);
+- if (orig_csr == NULL) {
++ X509_REQ *csr = php_openssl_csr_from_param(csr_obj, csr_str);
++ if (csr == NULL) {
+ RETURN_FALSE;
+ }
+
+-#if PHP_OPENSSL_API_VERSION >= 0x10100
+- /* Due to changes in OpenSSL 1.1 related to locking when decoding CSR,
+- * the pub key is not changed after assigning. It means if we pass
+- * a private key, it will be returned including the private part.
+- * If we duplicate it, then we get just the public part which is
+- * the same behavior as for OpenSSL 1.0 */
+- csr = X509_REQ_dup(orig_csr);
+-#else
+- csr = orig_csr;
+-#endif
+-
+ /* Retrieve the public key from the CSR */
+- tpubkey = X509_REQ_get_pubkey(csr);
+-
+- if (csr != orig_csr) {
+- /* We need to free the duplicated CSR */
+- X509_REQ_free(csr);
+- }
++ EVP_PKEY *tpubkey = php_openssl_extract_public_key(X509_REQ_get_pubkey(csr));
+
+ if (csr_str) {
+- /* We also need to free the original CSR if it was freshly created */
+- X509_REQ_free(orig_csr);
++ /* We need to free the original CSR if it was freshly created */
++ X509_REQ_free(csr);
+ }
+
+ if (tpubkey == NULL) {
+--
+2.31.1
+
+From 7939ffbdcc8d3358306653d7343f2b70204824f9 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Fri, 6 Aug 2021 12:08:07 +0200
+Subject: [PATCH 32/39] Use param API for openssl_pkey_get_details()
+
+Now that the DSA/DH/EC keys are not created using the legacy API,
+we can fetch the details using the param API as well, and not
+run into buggy priv_key handling.
+
+(cherry picked from commit 6db2c2dbe7a02055e2798e503ccde4b151b7cabf)
+---
+ ext/openssl/openssl.c | 123 ++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 106 insertions(+), 17 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index e86e99c73f..40f05da9f2 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -3788,17 +3788,17 @@ cleanup:
+ }
+ /* }}} */
+
+-#define OPENSSL_GET_BN(_array, _bn, _name) do { \
+- if (_bn != NULL) { \
+- int len = BN_num_bytes(_bn); \
+- zend_string *str = zend_string_alloc(len, 0); \
+- BN_bn2bin(_bn, (unsigned char*)ZSTR_VAL(str)); \
+- ZSTR_VAL(str)[len] = 0; \
+- add_assoc_str(&_array, #_name, str); \
+- } \
+- } while (0);
++static void php_openssl_add_bn_to_array(zval *ary, const BIGNUM *bn, const char *name) {
++ if (bn != NULL) {
++ int len = BN_num_bytes(bn);
++ zend_string *str = zend_string_alloc(len, 0);
++ BN_bn2bin(bn, (unsigned char *)ZSTR_VAL(str));
++ ZSTR_VAL(str)[len] = 0;
++ add_assoc_str(ary, name, str);
++ }
++}
+
+-#define OPENSSL_PKEY_GET_BN(_type, _name) OPENSSL_GET_BN(_type, _name, _name)
++#define OPENSSL_PKEY_GET_BN(_type, _name) php_openssl_add_bn_to_array(&_type, _name, #_name)
+
+ #define OPENSSL_PKEY_SET_BN(_data, _name) do { \
+ zval *bn; \
+@@ -4639,12 +4639,34 @@ PHP_FUNCTION(openssl_pkey_get_private)
+
+ /* }}} */
+
++#if PHP_OPENSSL_API_VERSION >= 0x30000
++static void php_openssl_copy_bn_param(
++ zval *ary, EVP_PKEY *pkey, const char *param, const char *name) {
++ BIGNUM *bn = NULL;
++ if (EVP_PKEY_get_bn_param(pkey, param, &bn) > 0) {
++ php_openssl_add_bn_to_array(ary, bn, name);
++ BN_free(bn);
++ }
++}
++
++static zend_string *php_openssl_get_utf8_param(
++ EVP_PKEY *pkey, const char *param, const char *name) {
++ char buf[64];
++ size_t len;
++ if (EVP_PKEY_get_utf8_string_param(pkey, param, buf, sizeof(buf), &len) > 0) {
++ zend_string *str = zend_string_alloc(len, 0);
++ memcpy(ZSTR_VAL(str), buf, len);
++ ZSTR_VAL(str)[len] = '\0';
++ return str;
++ }
++ return NULL;
++}
++#endif
++
+ /* {{{ returns an array with the key details (bits, pkey, type)*/
+ PHP_FUNCTION(openssl_pkey_get_details)
+ {
+ zval *key;
+- EVP_PKEY *pkey;
+- BIO *out;
+ unsigned int pbio_len;
+ char *pbio;
+ zend_long ktype;
+@@ -4653,9 +4675,9 @@ PHP_FUNCTION(openssl_pkey_get_details)
+ RETURN_THROWS();
+ }
+
+- pkey = Z_OPENSSL_PKEY_P(key)->pkey;
++ EVP_PKEY *pkey = Z_OPENSSL_PKEY_P(key)->pkey;
+
+- out = BIO_new(BIO_s_mem());
++ BIO *out = BIO_new(BIO_s_mem());
+ if (!PEM_write_bio_PUBKEY(out, pkey)) {
+ BIO_free(out);
+ php_openssl_store_errors();
+@@ -4669,6 +4691,72 @@ PHP_FUNCTION(openssl_pkey_get_details)
+ /*TODO: Use the real values once the openssl constants are used
+ * See the enum at the top of this file
+ */
++#if PHP_OPENSSL_API_VERSION >= 0x30000
++ zval ary;
++ switch (EVP_PKEY_base_id(pkey)) {
++ case EVP_PKEY_RSA:
++ ktype = OPENSSL_KEYTYPE_RSA;
++ array_init(&ary);
++ add_assoc_zval(return_value, "rsa", &ary);
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_N, "n");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_E, "e");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_D, "d");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, "p");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, "q");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, "dmp1");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, "dmq1");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, "iqmp");
++ break;
++ case EVP_PKEY_DSA:
++ ktype = OPENSSL_KEYTYPE_DSA;
++ array_init(&ary);
++ add_assoc_zval(return_value, "dsa", &ary);
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_P, "p");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_Q, "q");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_G, "g");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "priv_key");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PUB_KEY, "pub_key");
++ break;
++ case EVP_PKEY_DH:
++ ktype = OPENSSL_KEYTYPE_DH;
++ array_init(&ary);
++ add_assoc_zval(return_value, "dh", &ary);
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_P, "p");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_FFC_G, "g");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "priv_key");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PUB_KEY, "pub_key");
++ break;
++ case EVP_PKEY_EC: {
++ ktype = OPENSSL_KEYTYPE_EC;
++ array_init(&ary);
++ add_assoc_zval(return_value, "ec", &ary);
++
++ zend_string *curve_name = php_openssl_get_utf8_param(
++ pkey, OSSL_PKEY_PARAM_GROUP_NAME, "curve_name");
++ if (curve_name) {
++ add_assoc_str(&ary, "curve_name", curve_name);
++
++ int nid = OBJ_sn2nid(ZSTR_VAL(curve_name));
++ if (nid != NID_undef) {
++ ASN1_OBJECT *obj = OBJ_nid2obj(nid);
++ if (obj) {
++ // OpenSSL recommends a buffer length of 80.
++ char oir_buf[80];
++ int oir_len = OBJ_obj2txt(oir_buf, sizeof(oir_buf), obj, 1);
++ add_assoc_stringl(&ary, "curve_oid", oir_buf, oir_len);
++ ASN1_OBJECT_free(obj);
++ }
++ }
++ }
++
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_EC_PUB_X, "x");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_EC_PUB_Y, "y");
++ php_openssl_copy_bn_param(&ary, pkey, OSSL_PKEY_PARAM_PRIV_KEY, "d");
++ break;
++ }
++ EMPTY_SWITCH_DEFAULT_CASE();
++ }
++#else
+ switch (EVP_PKEY_base_id(pkey)) {
+ case EVP_PKEY_RSA:
+ case EVP_PKEY_RSA2:
+@@ -4785,14 +4873,14 @@ PHP_FUNCTION(openssl_pkey_get_details)
+ pub = EC_KEY_get0_public_key(ec_key);
+
+ if (EC_POINT_get_affine_coordinates_GFp(ec_group, pub, x, y, NULL)) {
+- OPENSSL_GET_BN(ec, x, x);
+- OPENSSL_GET_BN(ec, y, y);
++ php_openssl_add_bn_to_array(&ec, x, "x");
++ php_openssl_add_bn_to_array(&ec, y, "y");
+ } else {
+ php_openssl_store_errors();
+ }
+
+ if ((d = EC_KEY_get0_private_key(EVP_PKEY_get0_EC_KEY(pkey))) != NULL) {
+- OPENSSL_GET_BN(ec, d, d);
++ php_openssl_add_bn_to_array(&ec, d, "d");
+ }
+
+ add_assoc_zval(return_value, "ec", &ec);
+@@ -4806,6 +4894,7 @@ PHP_FUNCTION(openssl_pkey_get_details)
+ ktype = -1;
+ break;
+ }
++#endif
+ add_assoc_long(return_value, "type", ktype);
+
+ BIO_free(out);
+--
+2.31.1
+
+From 35012d2b29254b806e5f376817d22f6c3bab136d Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Mon, 9 Aug 2021 14:34:12 +0200
+Subject: [PATCH 33/39] Add missing unsigned qualifier
+
+This previously got lost in the deprecation warning noise.
+
+(cherry picked from commit ff2a39e6fcbd9a3bd7f411168b19711a4be9a2a4)
+---
+ ext/openssl/openssl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 40f05da9f2..856d7fc4af 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -4256,7 +4256,7 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) {
+ BIGNUM *d = NULL, *x = NULL, *y = NULL;
+ EC_GROUP *group = NULL;
+ EC_POINT *pnt = NULL;
+- char *pnt_oct = NULL;
++ unsigned char *pnt_oct = NULL;
+ EVP_PKEY *param_key = NULL, *pkey = NULL;
+ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
+ OSSL_PARAM *params = NULL;
+--
+2.31.1
+
+From c34296faadc0a9e15e4ca960d573cdf3aabd8742 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Mon, 9 Aug 2021 14:47:43 +0200
+Subject: [PATCH 34/39] Use param API to create RSA key
+
+Instead of deprecated low-level API.
+
+A caveat here is that when using the high-level API, OpenSSL 3
+requires that if the prime factors are set, the CRT parameters
+are also set. See https://github.com/openssl/openssl/issues/16271.
+
+As such, add CRT parameters to the manual construction test.
+
+This fixes the last deprecation warnings in openssl.c, but there
+are more elsewhere.
+
+(cherry picked from commit 3724b49aa953fadc365c27e64fba2266d7f6d16b)
+---
+ ext/openssl/openssl.c | 121 +++++++++++++++---
+ ext/openssl/tests/openssl_pkey_new_basic.phpt | 16 +++
+ 2 files changed, 116 insertions(+), 21 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 856d7fc4af..9e31f76998 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -3812,8 +3812,8 @@ static void php_openssl_add_bn_to_array(zval *ary, const BIGNUM *bn, const char
+ } \
+ } while (0);
+
+-/* {{{ php_openssl_pkey_init_rsa */
+-static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa, zval *data)
++#if PHP_OPENSSL_API_VERSION < 0x30000
++static zend_bool php_openssl_pkey_init_legacy_rsa(RSA *rsa, zval *data)
+ {
+ BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
+
+@@ -3837,12 +3837,102 @@ static zend_bool php_openssl_pkey_init_and_assign_rsa(EVP_PKEY *pkey, RSA *rsa,
+ return 0;
+ }
+
+- if (!EVP_PKEY_assign_RSA(pkey, rsa)) {
++ return 1;
++}
++#endif
++
++static EVP_PKEY *php_openssl_pkey_init_rsa(zval *data)
++{
++#if PHP_OPENSSL_API_VERSION >= 0x30000
++ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL;
++ BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
++ EVP_PKEY *pkey = NULL;
++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
++ OSSL_PARAM *params = NULL;
++ OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
++
++ OPENSSL_PKEY_SET_BN(data, n);
++ OPENSSL_PKEY_SET_BN(data, e);
++ OPENSSL_PKEY_SET_BN(data, d);
++ OPENSSL_PKEY_SET_BN(data, p);
++ OPENSSL_PKEY_SET_BN(data, q);
++ OPENSSL_PKEY_SET_BN(data, dmp1);
++ OPENSSL_PKEY_SET_BN(data, dmq1);
++ OPENSSL_PKEY_SET_BN(data, iqmp);
++
++ if (!ctx || !bld || !n || !d) {
++ goto cleanup;
++ }
++
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n);
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d);
++ if (e) {
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e);
++ }
++ if (p) {
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR1, p);
++ }
++ if (q) {
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR2, q);
++ }
++ if (dmp1) {
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1);
++ }
++ if (dmq1) {
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1);
++ }
++ if (iqmp) {
++ OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp);
++ }
++
++ params = OSSL_PARAM_BLD_to_param(bld);
++ if (!params) {
++ goto cleanup;
++ }
++
++ if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
++ EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) {
++ goto cleanup;
++ }
++
++cleanup:
++ php_openssl_store_errors();
++ EVP_PKEY_CTX_free(ctx);
++ OSSL_PARAM_free(params);
++ OSSL_PARAM_BLD_free(bld);
++ BN_free(n);
++ BN_free(e);
++ BN_free(d);
++ BN_free(p);
++ BN_free(q);
++ BN_free(dmp1);
++ BN_free(dmq1);
++ BN_free(iqmp);
++ return pkey;
++#else
++ EVP_PKEY *pkey = EVP_PKEY_new();
++ if (!pkey) {
+ php_openssl_store_errors();
+- return 0;
++ return NULL;
+ }
+
+- return 1;
++ RSA *rsa = RSA_new();
++ if (!rsa) {
++ php_openssl_store_errors();
++ EVP_PKEY_free(pkey);
++ return NULL;
++ }
++
++ if (!php_openssl_pkey_init_legacy_rsa(rsa, data)
++ || !EVP_PKEY_assign_RSA(pkey, rsa)) {
++ php_openssl_store_errors();
++ EVP_PKEY_free(pkey);
++ RSA_free(rsa);
++ return NULL;
++ }
++
++ return pkey;
++#endif
+ }
+
+ #if PHP_OPENSSL_API_VERSION < 0x30000
+@@ -4386,23 +4476,12 @@ PHP_FUNCTION(openssl_pkey_new)
+
+ if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "rsa", sizeof("rsa")-1)) != NULL &&
+ Z_TYPE_P(data) == IS_ARRAY) {
+- pkey = EVP_PKEY_new();
+- if (pkey) {
+- RSA *rsa = RSA_new();
+- if (rsa) {
+- if (php_openssl_pkey_init_and_assign_rsa(pkey, rsa, data)) {
+- php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true);
+- return;
+- }
+- RSA_free(rsa);
+- } else {
+- php_openssl_store_errors();
+- }
+- EVP_PKEY_free(pkey);
+- } else {
+- php_openssl_store_errors();
++ pkey = php_openssl_pkey_init_rsa(data);
++ if (!pkey) {
++ RETURN_FALSE;
+ }
+- RETURN_FALSE;
++ php_openssl_pkey_object_init(return_value, pkey, /* is_private */ true);
++ return;
+ } else if ((data = zend_hash_str_find(Z_ARRVAL_P(args), "dsa", sizeof("dsa") - 1)) != NULL &&
+ Z_TYPE_P(data) == IS_ARRAY) {
+ bool is_private;
+diff --git a/ext/openssl/tests/openssl_pkey_new_basic.phpt b/ext/openssl/tests/openssl_pkey_new_basic.phpt
+index b2c37f6a87..08c9660f22 100644
+--- a/ext/openssl/tests/openssl_pkey_new_basic.phpt
++++ b/ext/openssl/tests/openssl_pkey_new_basic.phpt
+@@ -26,6 +26,11 @@ $phex = "EECFAE81B1B9B3C908810B10A1B5600199EB9F44AEF4FDA493B81A9E3D84F632" .
+ $qhex = "C97FB1F027F453F6341233EAAAD1D9353F6C42D08866B1D05A0F2035028B9D86" .
+ "9840B41666B42E92EA0DA3B43204B5CFCE3352524D0416A5A441E700AF461503";
+
++$dphex = "11";
++$dqhex = "11";
++$qinvhex = "b06c4fdabb6301198d265bdbae9423b380f271f73453885093077fcd39e2119f" .
++ "c98632154f5883b167a967bf402b4e9e2e0f9656e698ea3666edfb25798039f7";
++
+ $rsa= openssl_pkey_new(array(
+ 'rsa' => array(
+ 'n' => hex2bin($nhex),
+@@ -33,6 +38,9 @@ $rsa= openssl_pkey_new(array(
+ 'd' => hex2bin($dhex),
+ 'p' => hex2bin($phex),
+ 'q' => hex2bin($qhex),
++ 'dmp1' => hex2bin($dphex),
++ 'dmq1' => hex2bin($dqhex),
++ 'iqmp' => hex2bin($qinvhex),
+ )
+ ));
+ $details = openssl_pkey_get_details($rsa);
+@@ -42,6 +50,10 @@ openssl_pkey_test_cmp($ehex, $rsa_details['e']);
+ openssl_pkey_test_cmp($dhex, $rsa_details['d']);
+ openssl_pkey_test_cmp($phex, $rsa_details['p']);
+ openssl_pkey_test_cmp($qhex, $rsa_details['q']);
++openssl_pkey_test_cmp($dphex, $rsa_details['dmp1']);
++openssl_pkey_test_cmp($dqhex, $rsa_details['dmq1']);
++openssl_pkey_test_cmp($qinvhex, $rsa_details['iqmp']);
++echo "\n";
+
+ // DSA
+ $phex = '00f8000ae45b2dacb47dd977d58b719d097bdf07cb2c17660ad898518c08' .
+@@ -95,6 +107,10 @@ int(0)
+ int(0)
+ int(0)
+ int(0)
++int(0)
++int(0)
++int(0)
++
+ int(0)
+ int(0)
+ int(0)
+--
+2.31.1
+
+From b32adee0fe39c9d0fb981fc7cfe1892c225ba1c3 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Tue, 10 Aug 2021 11:50:18 +0200
+Subject: [PATCH 35/39] Fork openssl_error_string() test for OpenSSL
+
+The used error code differ signficantly, so use a separate test
+file.
+
+openssl_encrypt() no longer throws an error for invalid key length,
+which looks like an upstream bug.
+
+(cherry picked from commit e5f53e1ca13bfe8abd0f6037c98b59d2dac5744f)
+---
+ .../tests/openssl_error_string_basic.phpt | 7 +-
+ .../openssl_error_string_basic_openssl3.phpt | 183 ++++++++++++++++++
+ 2 files changed, 188 insertions(+), 2 deletions(-)
+ create mode 100644 ext/openssl/tests/openssl_error_string_basic_openssl3.phpt
+
+diff --git a/ext/openssl/tests/openssl_error_string_basic.phpt b/ext/openssl/tests/openssl_error_string_basic.phpt
+index f3eb82067b..aee84b3fab 100644
+--- a/ext/openssl/tests/openssl_error_string_basic.phpt
++++ b/ext/openssl/tests/openssl_error_string_basic.phpt
+@@ -1,7 +1,10 @@
+ --TEST--
+-openssl_error_string() tests
++openssl_error_string() tests (OpenSSL < 3.0)
+ --SKIPIF--
+-<?php if (!extension_loaded("openssl")) print "skip"; ?>
++<?php
++if (!extension_loaded("openssl")) print "skip";
++if (OPENSSL_VERSION_NUMBER >= 0x30000000) die('skip For OpenSSL < 3.0');
++?>
+ --FILE--
+ <?php
+ // helper function to check openssl errors
+diff --git a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt
+new file mode 100644
+index 0000000000..b119346fe1
+--- /dev/null
++++ b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt
+@@ -0,0 +1,183 @@
++--TEST--
++openssl_error_string() tests (OpenSSL >= 3.0)
++--EXTENSIONS--
++openssl
++--SKIPIF--
++<?php
++if (OPENSSL_VERSION_NUMBER < 0x30000000) die('skip For OpenSSL >= 3.0');
++?>
++--FILE--
++<?php
++// helper function to check openssl errors
++function expect_openssl_errors($name, $expected_error_codes) {
++ $expected_errors = array_fill_keys($expected_error_codes, false);
++ $all_errors = array();
++ while (($error_string = openssl_error_string()) !== false) {
++ if (preg_match(",.+:([0-9A-F]+):.+,", $error_string, $m) > 0) {
++ $error_code = $m[1];
++ if (isset($expected_errors[$error_code])) {
++ $expected_errors[$error_code] = true;
++ }
++ $all_errors[$error_code] = $error_string;
++ } else {
++ $all_errors[] = $error_string;
++ }
++ }
++
++ $fail = false;
++ foreach ($expected_errors as $error_code => $error_code_found) {
++ if (!$error_code_found) {
++ $fail = true;
++ echo "$name: no error code $error_code\n";
++ }
++ }
++
++ if (!$fail) {
++ echo "$name: ok\n";
++ } else {
++ echo "$name: uncaught errors\n";
++ foreach ($all_errors as $code => $str) {
++ if (!isset($expected_errors[$code]) || !$expected_errors[$code]) {
++ echo "\t", $code, ": ", $str, "\n";
++ }
++ }
++ }
++}
++
++// helper for debugging errors
++function dump_openssl_errors($name) {
++ echo "\n$name\n";
++ while (($error_string = openssl_error_string()) !== false) {
++ var_dump($error_string);
++ }
++}
++
++// common output file
++$output_file = __DIR__ . "/openssl_error_string_basic_output.tmp";
++// invalid file for read is something that does not exist in current directory
++$invalid_file_for_read = __DIR__ . "/invalid_file_for_read_operation.txt";
++// invalid file for is the test dir as writing file to existing dir should always fail
++$invalid_file_for_write = __DIR__;
++// crt file
++$crt_file = "file://" . __DIR__ . "/cert.crt";
++// csr file
++$csr_file = "file://" . __DIR__ . "/cert.csr";
++// public key file
++$public_key_file = "file://" .__DIR__ . "/public.key";
++// private key file
++$private_key_file = "file://" .__DIR__ . "/private_rsa_1024.key";
++// private key file with password (password is 'php')
++$private_key_file_with_pass = "file://" .__DIR__ . "/private_rsa_2048_pass_php.key";
++
++// ENCRYPTION
++$data = "test";
++$method = "AES-128-ECB";
++$enc_key = str_repeat('x', 40);
++// error because password is longer then key length and
++// EVP_CIPHER_CTX_set_key_length fails for AES
++if (0) {
++// TODO: This no longer errors!
++openssl_encrypt($data, $method, $enc_key);
++$enc_error = openssl_error_string();
++var_dump($enc_error);
++// make sure that error is cleared now
++var_dump(openssl_error_string());
++// internally OpenSSL ERR won't save more than 15 (16 - 1) errors so lets test it
++for ($i = 0; $i < 20; $i++) {
++ openssl_encrypt($data, $method, $enc_key);
++}
++$error_queue_size = 0;
++while (($enc_error_new = openssl_error_string()) !== false) {
++ if ($enc_error_new !== $enc_error) {
++ echo "The new encoding error doesn't match the expected one\n";
++ }
++ ++$error_queue_size;
++}
++var_dump($error_queue_size);
++echo "\n";
++}
++
++$err_pem_no_start_line = '0480006C';
++
++// PKEY
++echo "PKEY errors\n";
++// file for pkey (file:///) fails when opennig (BIO_new_file)
++@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file);
++expect_openssl_errors('openssl_pkey_export_to_file opening', ['10000080']);
++// file or private pkey is not correct PEM - failing PEM_read_bio_PrivateKey
++@openssl_pkey_export_to_file($csr_file, $output_file);
++expect_openssl_errors('openssl_pkey_export_to_file pem', ['1E08010C']);
++// file to export cannot be written
++@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write);
++expect_openssl_errors('openssl_pkey_export_to_file write', ['10080002']);
++// successful export
++@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd');
++expect_openssl_errors('openssl_pkey_export', ['1C800064', '04800065']);
++// invalid x509 for getting public key
++@openssl_pkey_get_public($private_key_file);
++expect_openssl_errors('openssl_pkey_get_public', [$err_pem_no_start_line]);
++// private encrypt with unknown padding
++@openssl_private_encrypt("data", $crypted, $private_key_file, 1000);
++expect_openssl_errors('openssl_private_encrypt', ['1C8000A5']);
++// private decrypt with failed padding check
++@openssl_private_decrypt("data", $crypted, $private_key_file);
++expect_openssl_errors('openssl_private_decrypt', ['0200009F', '02000072']);
++// public encrypt and decrypt with failed padding check and padding
++@openssl_public_encrypt("data", $crypted, $public_key_file, 1000);
++@openssl_public_decrypt("data", $crypted, $public_key_file);
++expect_openssl_errors('openssl_private_(en|de)crypt padding', [$err_pem_no_start_line, '02000076', '0200008A', '02000072', '1C880004']);
++
++// X509
++echo "X509 errors\n";
++// file for x509 (file:///) fails when opennig (BIO_new_file)
++@openssl_x509_export_to_file("file://" . $invalid_file_for_read, $output_file);
++expect_openssl_errors('openssl_x509_export_to_file open', ['10000080']);
++// file or str cert is not correct PEM - failing PEM_read_bio_X509 or PEM_ASN1_read_bio
++@openssl_x509_export_to_file($csr_file, $output_file);
++expect_openssl_errors('openssl_x509_export_to_file pem', [$err_pem_no_start_line]);
++// file to export cannot be written
++@openssl_x509_export_to_file($crt_file, $invalid_file_for_write);
++expect_openssl_errors('openssl_x509_export_to_file write', ['10080002']);
++// checking purpose fails because there is no such purpose 1000
++@openssl_x509_checkpurpose($crt_file, 1000);
++expect_openssl_errors('openssl_x509_checkpurpose purpose', ['05800079']);
++
++// CSR
++echo "CSR errors\n";
++// file for csr (file:///) fails when opennig (BIO_new_file)
++@openssl_csr_get_subject("file://" . $invalid_file_for_read);
++expect_openssl_errors('openssl_csr_get_subject open', ['10000080']);
++// file or str csr is not correct PEM - failing PEM_read_bio_X509_REQ
++@openssl_csr_get_subject($crt_file);
++expect_openssl_errors('openssl_csr_get_subjec pem', [$err_pem_no_start_line]);
++
++// other possible causes that are difficult to catch:
++// - ASN1_STRING_to_UTF8 fails in add_assoc_name_entry
++// - invalid php_x509_request field (NULL) would cause error with CONF_get_string
++
++?>
++--CLEAN--
++<?php
++$output_file = __DIR__ . "/openssl_error_string_basic_output.tmp";
++if (is_file($output_file)) {
++ unlink($output_file);
++}
++?>
++--EXPECT--
++PKEY errors
++openssl_pkey_export_to_file opening: ok
++openssl_pkey_export_to_file pem: ok
++openssl_pkey_export_to_file write: ok
++openssl_pkey_export: ok
++openssl_pkey_get_public: ok
++openssl_private_encrypt: ok
++openssl_private_decrypt: ok
++openssl_private_(en|de)crypt padding: ok
++X509 errors
++openssl_x509_export_to_file open: ok
++openssl_x509_export_to_file pem: ok
++openssl_x509_export_to_file write: ok
++openssl_x509_checkpurpose purpose: ok
++CSR errors
++openssl_csr_get_subject open: ok
++openssl_csr_get_subjec pem: ok
+--
+2.31.1
+
+From f99d70f7d8d660c2ded4f8f1700771c227987021 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Tue, 10 Aug 2021 12:17:17 +0200
+Subject: [PATCH 36/39] Switch dh_param handling to EVP_PKEY API
+
+(cherry picked from commit ef787bae242fdd2e72625bbce6ab4ca466b1ef59)
+---
+ ext/openssl/xp_ssl.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
+index 206543ca82..b61234943e 100644
+--- a/ext/openssl/xp_ssl.c
++++ b/ext/openssl/xp_ssl.c
+@@ -1197,11 +1197,7 @@ static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength)
+
+ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /* {{{ */
+ {
+- DH *dh;
+- BIO* bio;
+- zval *zdhpath;
+-
+- zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param");
++ zval *zdhpath = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", "dh_param");
+ if (zdhpath == NULL) {
+ #if 0
+ /* Coming in OpenSSL 1.1 ... eventually we'll want to enable this
+@@ -1216,14 +1212,29 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /*
+ return FAILURE;
+ }
+
+- bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
++ BIO *bio = BIO_new_file(Z_STRVAL_P(zdhpath), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
+
+ if (bio == NULL) {
+ php_error_docref(NULL, E_WARNING, "Invalid dh_param");
+ return FAILURE;
+ }
+
+- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
++#if PHP_OPENSSL_API_VERSION >= 0x30000
++ EVP_PKEY *pkey = PEM_read_bio_Parameters(bio, NULL);
++ BIO_free(bio);
++
++ if (pkey == NULL) {
++ php_error_docref(NULL, E_WARNING, "Failed reading DH params");
++ return FAILURE;
++ }
++
++ if (SSL_CTX_set0_tmp_dh_pkey(ctx, pkey) < 0) {
++ php_error_docref(NULL, E_WARNING, "Failed assigning DH params");
++ EVP_PKEY_free(pkey);
++ return FAILURE;
++ }
++#else
++ DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+ BIO_free(bio);
+
+ if (dh == NULL) {
+@@ -1238,6 +1249,7 @@ static int php_openssl_set_server_dh_param(php_stream * stream, SSL_CTX *ctx) /*
+ }
+
+ DH_free(dh);
++#endif
+
+ return SUCCESS;
+ }
+--
+2.31.1
+
+From b3deb9b38d4a52b4582f40d4d32240353db26653 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 11 Aug 2021 10:11:12 +0200
+Subject: [PATCH 37/39] Fix openssl memory leaks
+
+Some leaks that snuck in during refactorings.
+
+(cherry picked from commit 7d2a2c7dc0447c81316d14f3a43a4b6a8ce0b982)
+---
+ ext/openssl/openssl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 9e31f76998..d8102bd4bc 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -3463,7 +3463,9 @@ PHP_FUNCTION(openssl_csr_get_public_key)
+ }
+
+ /* Retrieve the public key from the CSR */
+- EVP_PKEY *tpubkey = php_openssl_extract_public_key(X509_REQ_get_pubkey(csr));
++ EVP_PKEY *orig_key = X509_REQ_get_pubkey(csr);
++ EVP_PKEY *tpubkey = php_openssl_extract_public_key(orig_key);
++ EVP_PKEY_free(orig_key);
+
+ if (csr_str) {
+ /* We need to free the original CSR if it was freshly created */
+@@ -4328,6 +4330,7 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_
+ php_openssl_store_errors();
+ }
+ if (EC_KEY_check_key(eckey)) {
++ EC_GROUP_free(group);
+ return true;
+ } else {
+ php_openssl_store_errors();
+--
+2.31.1
+
+From 02f08ac888b0c5f43468eaf76b59b29a7c2d7c74 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Fri, 10 Sep 2021 11:28:20 +0200
+Subject: [PATCH 38/39] fix [-Wmaybe-uninitialized] build warnings
+
+(cherry picked from commit 6ee96f095ad947ffc820437b2e9e6449000e18a2)
+---
+ ext/openssl/openssl.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index d8102bd4bc..40e6e7ba97 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -3991,6 +3991,8 @@ static EVP_PKEY *php_openssl_pkey_init_dsa(zval *data, bool *is_private)
+ OPENSSL_PKEY_SET_BN(data, priv_key);
+ OPENSSL_PKEY_SET_BN(data, pub_key);
+
++ *is_private = false;
++
+ if (!ctx || !bld || !p || !q || !g) {
+ goto cleanup;
+ }
+@@ -4162,6 +4164,8 @@ static EVP_PKEY *php_openssl_pkey_init_dh(zval *data, bool *is_private)
+ OPENSSL_PKEY_SET_BN(data, priv_key);
+ OPENSSL_PKEY_SET_BN(data, pub_key);
+
++ *is_private = false;
++
+ if (!ctx || !bld || !p || !g) {
+ goto cleanup;
+ }
+@@ -4255,6 +4259,8 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_
+ zval *x;
+ zval *y;
+
++ *is_private = false;
++
+ if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "curve_name", sizeof("curve_name") - 1)) != NULL &&
+ Z_TYPE_P(bn) == IS_STRING) {
+ int nid = OBJ_sn2nid(Z_STRVAL_P(bn));
+@@ -4279,7 +4285,6 @@ static bool php_openssl_pkey_init_legacy_ec(EC_KEY *eckey, zval *data, bool *is_
+ }
+
+ // The public key 'pnt' can be calculated from 'd' or is defined by 'x' and 'y'
+- *is_private = false;
+ if ((bn = zend_hash_str_find(Z_ARRVAL_P(data), "d", sizeof("d") - 1)) != NULL &&
+ Z_TYPE_P(bn) == IS_STRING) {
+ *is_private = true;
+@@ -4360,6 +4365,8 @@ static EVP_PKEY *php_openssl_pkey_init_ec(zval *data, bool *is_private) {
+ OPENSSL_PKEY_SET_BN(data, x);
+ OPENSSL_PKEY_SET_BN(data, y);
+
++ *is_private = false;
++
+ if (!ctx || !bld || !curve_name_zv || Z_TYPE_P(curve_name_zv) != IS_STRING) {
+ goto cleanup;
+ }
+--
+2.31.1
+
+From b881c41d32928781cb48013692da04fc84ca9107 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Sun, 12 Sep 2021 20:30:02 +0100
+Subject: [PATCH 39/39] Make OpenSSL tests less dependent on system config
+
+It fixes dependencies on system config if running tests with OpenSSL 3.0
+
+(cherry picked from commit 43f0141d74c1db6e792f3b625ea7f4ae57ff338f)
+---
+ ext/openssl/tests/bug52093.phpt | 6 +++---
+ ext/openssl/tests/bug72165.phpt | 5 +++--
+ ext/openssl/tests/bug73711.phpt | 3 +++
+ ext/openssl/tests/ecc.phpt | 3 +++
+ .../tests/openssl_error_string_basic_openssl3.phpt | 9 +++++----
+ 5 files changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/ext/openssl/tests/bug52093.phpt b/ext/openssl/tests/bug52093.phpt
+index 63eaceb5ac..162945f914 100644
+--- a/ext/openssl/tests/bug52093.phpt
++++ b/ext/openssl/tests/bug52093.phpt
+@@ -14,10 +14,10 @@ $dn = array(
+ "commonName" => "Henrique do N. Angelo",
+ "emailAddress" => "hnangelo@php.net"
+ );
+-
++$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf'];
+ $privkey = openssl_pkey_new();
+-$csr = openssl_csr_new($dn, $privkey);
+-$cert = openssl_csr_sign($csr, null, $privkey, 365, [], PHP_INT_MAX);
++$csr = openssl_csr_new($dn, $privkey, $options);
++$cert = openssl_csr_sign($csr, null, $privkey, 365, $options, PHP_INT_MAX);
+ var_dump(openssl_x509_parse($cert)['serialNumber']);
+ ?>
+ --EXPECT--
+diff --git a/ext/openssl/tests/bug72165.phpt b/ext/openssl/tests/bug72165.phpt
+index 50e8b54100..fb78881fc3 100644
+--- a/ext/openssl/tests/bug72165.phpt
++++ b/ext/openssl/tests/bug72165.phpt
+@@ -6,8 +6,9 @@ if (!extension_loaded("openssl")) die("skip");
+ ?>
+ --FILE--
+ <?php
+-$var0 = array(0 => "hello", 1 => "world");
+-$var2 = openssl_csr_new(array(0),$var0,null,array(0));
++$var0 = [0 => "hello", 1 => "world"];
++$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf'];
++$var2 = openssl_csr_new([0], $var0, $options, [0]);
+ ?>
+ --EXPECTF--
+ Warning: openssl_csr_new(): dn: numeric fild names are not supported in %sbug72165.php on line %d
+diff --git a/ext/openssl/tests/bug73711.phpt b/ext/openssl/tests/bug73711.phpt
+index 4e4bba8aa8..8ca0101d1a 100644
+--- a/ext/openssl/tests/bug73711.phpt
++++ b/ext/openssl/tests/bug73711.phpt
+@@ -6,13 +6,16 @@ if (!extension_loaded("openssl")) die("skip openssl not loaded");
+ ?>
+ --FILE--
+ <?php
++$config = __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf';
+ var_dump(openssl_pkey_new([
+ "private_key_type" => OPENSSL_KEYTYPE_DSA,
+ "private_key_bits" => 1024,
++ 'config' => $config,
+ ]));
+ var_dump(openssl_pkey_new([
+ "private_key_type" => OPENSSL_KEYTYPE_DH,
+ "private_key_bits" => 512,
++ 'config' => $config,
+ ]));
+ echo "DONE";
+ ?>
+diff --git a/ext/openssl/tests/ecc.phpt b/ext/openssl/tests/ecc.phpt
+index 0b05410c2c..1d97b1450a 100644
+--- a/ext/openssl/tests/ecc.phpt
++++ b/ext/openssl/tests/ecc.phpt
+@@ -4,9 +4,11 @@ openssl_*() with OPENSSL_KEYTYPE_EC
+ <?php if (!extension_loaded("openssl") || !defined("OPENSSL_KEYTYPE_EC")) print "skip"; ?>
+ --FILE--
+ <?php
++$config = __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf';
+ $args = array(
+ "curve_name" => "secp384r1",
+ "private_key_type" => OPENSSL_KEYTYPE_EC,
++ "config" => $config,
+ );
+ echo "Testing openssl_pkey_new\n";
+ $key1 = openssl_pkey_new($args);
+@@ -15,6 +17,7 @@ var_dump($key1);
+ $argsFailed = array(
+ "curve_name" => "invalid_cuve_name",
+ "private_key_type" => OPENSSL_KEYTYPE_EC,
++ "config" => $config,
+ );
+
+ $keyFailed = openssl_pkey_new($argsFailed);
+diff --git a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt
+index b119346fe1..d435a53e30 100644
+--- a/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt
++++ b/ext/openssl/tests/openssl_error_string_basic_openssl3.phpt
+@@ -100,18 +100,19 @@ echo "\n";
+ $err_pem_no_start_line = '0480006C';
+
+ // PKEY
++$options = ['config' => __DIR__ . DIRECTORY_SEPARATOR . 'openssl.cnf'];
+ echo "PKEY errors\n";
+ // file for pkey (file:///) fails when opennig (BIO_new_file)
+-@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file);
++@openssl_pkey_export_to_file("file://" . $invalid_file_for_read, $output_file, null, $options);
+ expect_openssl_errors('openssl_pkey_export_to_file opening', ['10000080']);
+ // file or private pkey is not correct PEM - failing PEM_read_bio_PrivateKey
+-@openssl_pkey_export_to_file($csr_file, $output_file);
++@openssl_pkey_export_to_file($csr_file, $output_file, null, $options);
+ expect_openssl_errors('openssl_pkey_export_to_file pem', ['1E08010C']);
+ // file to export cannot be written
+-@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write);
++@openssl_pkey_export_to_file($private_key_file, $invalid_file_for_write, null, $options);
+ expect_openssl_errors('openssl_pkey_export_to_file write', ['10080002']);
+ // successful export
+-@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd');
++@openssl_pkey_export($private_key_file_with_pass, $out, 'wrong pwd', $options);
+ expect_openssl_errors('openssl_pkey_export', ['1C800064', '04800065']);
+ // invalid x509 for getting public key
+ @openssl_pkey_get_public($private_key_file);
+--
+2.31.1
+
diff --git a/SOURCES/php-8.0.10-phar-sha.patch b/SOURCES/php-8.0.10-phar-sha.patch
new file mode 100644
index 0000000..7d6fa2c
--- /dev/null
+++ b/SOURCES/php-8.0.10-phar-sha.patch
@@ -0,0 +1,515 @@
+Backported for 8.0 from
+
+
+From 8bb0c74e24359a11216824117ac3adf3d5ef7b71 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 5 Aug 2021 11:10:15 +0200
+Subject: [PATCH] switch phar to use sha256 signature by default
+
+---
+ ext/phar/phar/pharcommand.inc | 2 +-
+ ext/phar/tests/create_new_and_modify.phpt | 4 ++--
+ ext/phar/tests/create_new_phar_c.phpt | 4 ++--
+ ext/phar/tests/phar_setsignaturealgo2.phpt | 2 +-
+ ext/phar/tests/tar/phar_setsignaturealgo2.phpt | 2 +-
+ ext/phar/tests/zip/phar_setsignaturealgo2.phpt | 2 +-
+ ext/phar/util.c | 6 +++---
+ ext/phar/zip.c | 2 +-
+ 8 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/ext/phar/phar/pharcommand.inc b/ext/phar/phar/pharcommand.inc
+index a31290eee75fe..5f698b4bec26b 100644
+--- a/ext/phar/phar/pharcommand.inc
++++ b/ext/phar/phar/pharcommand.inc
+@@ -92,7 +92,7 @@ class PharCommand extends CLICommand
+ 'typ' => 'select',
+ 'val' => NULL,
+ 'inf' => '<method> Selects the hash algorithm.',
+- 'select' => array('md5' => 'MD5','sha1' => 'SHA1')
++ 'select' => array('md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL')
+ ),
+ 'i' => array(
+ 'typ' => 'regex',
+diff --git a/ext/phar/tests/create_new_and_modify.phpt b/ext/phar/tests/create_new_and_modify.phpt
+index 02e36c6cea2fe..32defcae8a639 100644
+--- a/ext/phar/tests/create_new_and_modify.phpt
++++ b/ext/phar/tests/create_new_and_modify.phpt
+@@ -49,8 +49,8 @@ include $pname . '/b.php';
+ <?php unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.phar.php'); ?>
+ --EXPECTF--
+ brand new!
+-string(40) "%s"
+-string(40) "%s"
++string(%d) "%s"
++string(%d) "%s"
+ bool(true)
+ modified!
+ another!
+diff --git a/ext/phar/tests/create_new_phar_c.phpt b/ext/phar/tests/create_new_phar_c.phpt
+index 566d3c4d5f8ad..bf6d740fd1d10 100644
+--- a/ext/phar/tests/create_new_phar_c.phpt
++++ b/ext/phar/tests/create_new_phar_c.phpt
+@@ -20,7 +20,7 @@ var_dump($phar->getSignature());
+ --EXPECTF--
+ array(2) {
+ ["hash"]=>
+- string(40) "%s"
++ string(64) "%s"
+ ["hash_type"]=>
+- string(5) "SHA-1"
++ string(7) "SHA-256"
+ }
+diff --git a/ext/phar/tests/phar_setsignaturealgo2.phpt b/ext/phar/tests/phar_setsignaturealgo2.phpt
+index 293d3196713d8..4f31836fbbbcc 100644
+--- a/ext/phar/tests/phar_setsignaturealgo2.phpt
++++ b/ext/phar/tests/phar_setsignaturealgo2.phpt
+@@ -52,7 +52,7 @@ array(2) {
+ ["hash"]=>
+ string(%d) "%s"
+ ["hash_type"]=>
+- string(5) "SHA-1"
++ string(7) "SHA-256"
+ }
+ array(2) {
+ ["hash"]=>
+diff --git a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt
+index 9923ac5c88476..cc10a241d739b 100644
+--- a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt
++++ b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt
+@@ -51,7 +51,7 @@ array(2) {
+ ["hash"]=>
+ string(%d) "%s"
+ ["hash_type"]=>
+- string(5) "SHA-1"
++ string(7) "SHA-256"
+ }
+ array(2) {
+ ["hash"]=>
+diff --git a/ext/phar/tests/zip/phar_setsignaturealgo2.phpt b/ext/phar/tests/zip/phar_setsignaturealgo2.phpt
+index 8de77479d7825..60fec578ee894 100644
+--- a/ext/phar/tests/zip/phar_setsignaturealgo2.phpt
++++ b/ext/phar/tests/zip/phar_setsignaturealgo2.phpt
+@@ -78,7 +78,7 @@ array(2) {
+ ["hash"]=>
+ string(%d) "%s"
+ ["hash_type"]=>
+- string(5) "SHA-1"
++ string(7) "SHA-256"
+ }
+ array(2) {
+ ["hash"]=>
+diff --git a/ext/phar/util.c b/ext/phar/util.c
+index 314acfe81a788..8d2db03b69601 100644
+--- a/ext/phar/util.c
++++ b/ext/phar/util.c
+@@ -1798,6 +1798,8 @@ int phar_create_signature(phar_archive_d
+ *signature_length = 64;
+ break;
+ }
++ default:
++ phar->sig_flags = PHAR_SIG_SHA256;
+ case PHAR_SIG_SHA256: {
+ unsigned char digest[32];
+ PHP_SHA256_CTX context;
+@@ -1894,8 +1896,6 @@ int phar_create_signature(phar_archive_d
+ *signature_length = siglen;
+ }
+ break;
+- default:
+- phar->sig_flags = PHAR_SIG_SHA1;
+ case PHAR_SIG_SHA1: {
+ unsigned char digest[20];
+ PHP_SHA1_CTX context;
+diff --git a/ext/phar/zip.c b/ext/phar/zip.c
+index 31d4bd2998215..c5e38cabf7b87 100644
+--- a/ext/phar/zip.c
++++ b/ext/phar/zip.c
+@@ -1423,7 +1423,7 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
+
+ memcpy(eocd.signature, "PK\5\6", 4);
+ if (!phar->is_data && !phar->sig_flags) {
+- phar->sig_flags = PHAR_SIG_SHA1;
++ phar->sig_flags = PHAR_SIG_SHA256;
+ }
+ if (phar->sig_flags) {
+ PHAR_SET_16(eocd.counthere, zend_hash_num_elements(&phar->manifest) + 1);
+
+From c51af22fef988c1b2f92b7b9e3a9d745f7084815 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 5 Aug 2021 16:49:48 +0200
+Subject: [PATCH] implement openssl_256 and openssl_512 for phar singatures
+
+---
+ ext/openssl/openssl.c | 1 +
+ ext/phar/phar.1.in | 10 +++-
+ ext/phar/phar.c | 8 +++-
+ ext/phar/phar/pharcommand.inc | 14 +++++-
+ ext/phar/phar_internal.h | 2 +
+ ext/phar/phar_object.c | 24 ++++++++--
+ ext/phar/tests/files/openssl256.phar | Bin 0 -> 7129 bytes
+ ext/phar/tests/files/openssl256.phar.pubkey | 6 +++
+ ext/phar/tests/files/openssl512.phar | Bin 0 -> 7129 bytes
+ ext/phar/tests/files/openssl512.phar.pubkey | 6 +++
+ .../phar_get_supported_signatures_002a.phpt | 6 ++-
+ .../tests/tar/phar_setsignaturealgo2.phpt | 16 +++++++
+ ext/phar/tests/test_signaturealgos.phpt | 8 ++++
+ ext/phar/util.c | 45 ++++++++++++++----
+ 14 files changed, 128 insertions(+), 18 deletions(-)
+ create mode 100644 ext/phar/tests/files/openssl256.phar
+ create mode 100644 ext/phar/tests/files/openssl256.phar.pubkey
+ create mode 100644 ext/phar/tests/files/openssl512.phar
+ create mode 100644 ext/phar/tests/files/openssl512.phar.pubkey
+
+diff --git a/ext/phar/phar.1.in b/ext/phar/phar.1.in
+index 77912b241dfd5..323e77b0e2a3b 100644
+--- a/ext/phar/phar.1.in
++++ b/ext/phar/phar.1.in
+@@ -475,7 +475,15 @@ SHA512
+ .TP
+ .PD
+ .B openssl
+-OpenSSL
++OpenSSL using SHA-1
++.TP
++.PD
++.B openssl_sha256
++OpenSSL using SHA-256
++.TP
++.PD
++.B openssl_sha512
++OpenSSL using SHA-512
+
+ .SH SEE ALSO
+ For a more or less complete description of PHAR look here:
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 77f21cef9da53..bc08e4edde05d 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -869,6 +869,8 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, size_t fname_len, ch
+ PHAR_GET_32(sig_ptr, sig_flags);
+
+ switch(sig_flags) {
++ case PHAR_SIG_OPENSSL_SHA512:
++ case PHAR_SIG_OPENSSL_SHA256:
+ case PHAR_SIG_OPENSSL: {
+ uint32_t signature_len;
+ char *sig;
+@@ -903,7 +905,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, size_t fname_len, ch
+ return FAILURE;
+ }
+
+- if (FAILURE == phar_verify_signature(fp, end_of_phar, PHAR_SIG_OPENSSL, sig, signature_len, fname, &signature, &sig_len, error)) {
++ if (FAILURE == phar_verify_signature(fp, end_of_phar, sig_flags, sig, signature_len, fname, &signature, &sig_len, error)) {
+ efree(savebuf);
+ efree(sig);
+ php_stream_close(fp);
+@@ -3162,7 +3164,9 @@ int phar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int conv
+
+ php_stream_write(newfile, digest, digest_len);
+ efree(digest);
+- if (phar->sig_flags == PHAR_SIG_OPENSSL) {
++ if (phar->sig_flags == PHAR_SIG_OPENSSL ||
++ phar->sig_flags == PHAR_SIG_OPENSSL_SHA256 ||
++ phar->sig_flags == PHAR_SIG_OPENSSL_SHA512) {
+ phar_set_32(sig_buf, digest_len);
+ php_stream_write(newfile, sig_buf, 4);
+ }
+diff --git a/ext/phar/phar/pharcommand.inc b/ext/phar/phar/pharcommand.inc
+index 5f698b4bec26b..1b1eeca59c560 100644
+--- a/ext/phar/phar/pharcommand.inc
++++ b/ext/phar/phar/pharcommand.inc
+@@ -92,7 +92,7 @@ class PharCommand extends CLICommand
+ 'typ' => 'select',
+ 'val' => NULL,
+ 'inf' => '<method> Selects the hash algorithm.',
+- 'select' => array('md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL')
++ 'select' => ['md5' => 'MD5','sha1' => 'SHA1', 'sha256' => 'SHA256', 'sha512' => 'SHA512', 'openssl' => 'OPENSSL', 'openssl_sha256' => 'OPENSSL_SHA256', 'openssl_sha512' => 'OPENSSL_SHA512']
+ ),
+ 'i' => array(
+ 'typ' => 'regex',
+@@ -156,6 +156,8 @@ class PharCommand extends CLICommand
+ $hash_avail = Phar::getSupportedSignatures();
+ $hash_optional = array('SHA-256' => 'SHA256',
+ 'SHA-512' => 'SHA512',
++ 'OpenSSL_sha256' => 'OpenSSL_SHA256',
++ 'OpenSSL_sha512' => 'OpenSSL_SHA512',
+ 'OpenSSL' => 'OpenSSL');
+ if (!in_array('OpenSSL', $hash_avail)) {
+ unset($phar_args['y']);
+@@ -429,6 +431,16 @@ class PharCommand extends CLICommand
+ self::error("Cannot use OpenSSL signing without key.\n");
+ }
+ return Phar::OPENSSL;
++ case 'openssl_sha256':
++ if (!$privkey) {
++ self::error("Cannot use OpenSSL signing without key.\n");
++ }
++ return Phar::OPENSSL_SHA256;
++ case 'openssl_sha512':
++ if (!$privkey) {
++ self::error("Cannot use OpenSSL signing without key.\n");
++ }
++ return Phar::OPENSSL_SHA512;
+ }
+ }
+ // }}}
+diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
+index a9f81e2ab994a..30b408a8c4462 100644
+--- a/ext/phar/phar_internal.h
++++ b/ext/phar/phar_internal.h
+@@ -88,6 +88,8 @@
+ #define PHAR_SIG_SHA256 0x0003
+ #define PHAR_SIG_SHA512 0x0004
+ #define PHAR_SIG_OPENSSL 0x0010
++#define PHAR_SIG_OPENSSL_SHA256 0x0011
++#define PHAR_SIG_OPENSSL_SHA512 0x0012
+
+ /* flags byte for each file adheres to these bitmasks.
+ All unused values are reserved */
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index 9c1e5f2fa1eef..c05970e657f18 100644
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
+@@ -1246,9 +1246,13 @@ PHP_METHOD(Phar, getSupportedSignatures)
+ add_next_index_stringl(return_value, "SHA-512", 7);
+ #ifdef PHAR_HAVE_OPENSSL
+ add_next_index_stringl(return_value, "OpenSSL", 7);
++ add_next_index_stringl(return_value, "OpenSSL_SHA256", 14);
++ add_next_index_stringl(return_value, "OpenSSL_SHA512", 14);
+ #else
+ if (zend_hash_str_exists(&module_registry, "openssl", sizeof("openssl")-1)) {
+ add_next_index_stringl(return_value, "OpenSSL", 7);
++ add_next_index_stringl(return_value, "OpenSSL_SHA256", 14);
++ add_next_index_stringl(return_value, "OpenSSL_SHA512", 14);
+ }
+ #endif
+ }
+@@ -3028,6 +3032,8 @@ PHP_METHOD(Phar, setSignatureAlgorithm)
+ case PHAR_SIG_MD5:
+ case PHAR_SIG_SHA1:
+ case PHAR_SIG_OPENSSL:
++ case PHAR_SIG_OPENSSL_SHA256:
++ case PHAR_SIG_OPENSSL_SHA512:
+ if (phar_obj->archive->is_persistent && FAILURE == phar_copy_on_write(&(phar_obj->archive))) {
+ zend_throw_exception_ex(phar_ce_PharException, 0, "phar \"%s\" is persistent, unable to copy on write", phar_obj->archive->fname);
+ RETURN_THROWS();
+@@ -3066,19 +3072,25 @@ PHP_METHOD(Phar, getSignature)
+ add_assoc_stringl(return_value, "hash", phar_obj->archive->signature, phar_obj->archive->sig_len);
+ switch(phar_obj->archive->sig_flags) {
+ case PHAR_SIG_MD5:
+- add_assoc_stringl(return_value, "hash_type", "MD5", 3);
++ add_assoc_string(return_value, "hash_type", "MD5");
+ break;
+ case PHAR_SIG_SHA1:
+- add_assoc_stringl(return_value, "hash_type", "SHA-1", 5);
++ add_assoc_string(return_value, "hash_type", "SHA-1");
+ break;
+ case PHAR_SIG_SHA256:
+- add_assoc_stringl(return_value, "hash_type", "SHA-256", 7);
++ add_assoc_string(return_value, "hash_type", "SHA-256");
+ break;
+ case PHAR_SIG_SHA512:
+- add_assoc_stringl(return_value, "hash_type", "SHA-512", 7);
++ add_assoc_string(return_value, "hash_type", "SHA-512");
+ break;
+ case PHAR_SIG_OPENSSL:
+- add_assoc_stringl(return_value, "hash_type", "OpenSSL", 7);
++ add_assoc_string(return_value, "hash_type", "OpenSSL");
++ break;
++ case PHAR_SIG_OPENSSL_SHA256:
++ add_assoc_string(return_value, "hash_type", "OpenSSL_SHA256");
++ break;
++ case PHAR_SIG_OPENSSL_SHA512:
++ add_assoc_string(return_value, "hash_type", "OpenSSL_SHA512");
+ break;
+ default:
+ unknown = strpprintf(0, "Unknown (%u)", phar_obj->archive->sig_flags);
+@@ -5103,6 +5115,8 @@ void phar_object_init(void) /* {{{ */
+ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "PHPS", PHAR_MIME_PHPS)
+ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "MD5", PHAR_SIG_MD5)
+ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL", PHAR_SIG_OPENSSL)
++ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL_SHA256", PHAR_SIG_OPENSSL_SHA256)
++ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL_SHA512", PHAR_SIG_OPENSSL_SHA512)
+ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA1", PHAR_SIG_SHA1)
+ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA256", PHAR_SIG_SHA256)
+ REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA512", PHAR_SIG_SHA512)
+diff --git a/ext/phar/tests/phar_get_supported_signatures_002a.phpt b/ext/phar/tests/phar_get_supported_signatures_002a.phpt
+index 06d811f2c35c2..639143b3d2c90 100644
+--- a/ext/phar/tests/phar_get_supported_signatures_002a.phpt
++++ b/ext/phar/tests/phar_get_supported_signatures_002a.phpt
+@@ -14,7 +14,7 @@ phar.readonly=0
+ var_dump(Phar::getSupportedSignatures());
+ ?>
+ --EXPECT--
+-array(5) {
++array(7) {
+ [0]=>
+ string(3) "MD5"
+ [1]=>
+@@ -25,4 +25,8 @@ array(5) {
+ string(7) "SHA-512"
+ [4]=>
+ string(7) "OpenSSL"
++ [5]=>
++ string(14) "OpenSSL_SHA256"
++ [6]=>
++ string(14) "OpenSSL_SHA512"
+ }
+diff --git a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt
+index cc10a241d739b..c2eb5d77a5bf0 100644
+--- a/ext/phar/tests/tar/phar_setsignaturealgo2.phpt
++++ b/ext/phar/tests/tar/phar_setsignaturealgo2.phpt
+@@ -38,6 +38,10 @@ $pkey = '';
+ openssl_pkey_export($private, $pkey, NULL, $config_arg);
+ $p->setSignatureAlgorithm(Phar::OPENSSL, $pkey);
+ var_dump($p->getSignature());
++$p->setSignatureAlgorithm(Phar::OPENSSL_SHA512, $pkey);
++var_dump($p->getSignature());
++$p->setSignatureAlgorithm(Phar::OPENSSL_SHA256, $pkey);
++var_dump($p->getSignature());
+ } catch (Exception $e) {
+ echo $e->getMessage();
+ }
+@@ -83,3 +87,15 @@ array(2) {
+ ["hash_type"]=>
+ string(7) "OpenSSL"
+ }
++array(2) {
++ ["hash"]=>
++ string(%d) "%s"
++ ["hash_type"]=>
++ string(14) "OpenSSL_SHA512"
++}
++array(2) {
++ ["hash"]=>
++ string(%d) "%s"
++ ["hash_type"]=>
++ string(14) "OpenSSL_SHA256"
++}
+diff --git a/ext/phar/util.c b/ext/phar/util.c
+index 8d2db03b69601..515830bf2c70a 100644
+--- a/ext/phar/util.c
++++ b/ext/phar/util.c
+@@ -34,7 +34,7 @@
+ #include <openssl/ssl.h>
+ #include <openssl/pkcs12.h>
+ #else
+-static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len);
++static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, php_uint32 sig_type);
+ #endif
+
+ /* for links to relative location, prepend cwd of the entry */
+@@ -1381,11 +1381,11 @@ static int phar_hex_str(const char *digest, size_t digest_len, char **signature)
+ /* }}} */
+
+ #ifndef PHAR_HAVE_OPENSSL
+-static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len) /* {{{ */
++static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t end, char *key, size_t key_len, char **signature, size_t *signature_len, php_uint32 sig_type) /* {{{ */
+ {
+ zend_fcall_info fci;
+ zend_fcall_info_cache fcc;
+- zval retval, zp[3], openssl;
++ zval retval, zp[4], openssl;
+ zend_string *str;
+
+ ZVAL_STRINGL(&openssl, is_sign ? "openssl_sign" : "openssl_verify", is_sign ? sizeof("openssl_sign")-1 : sizeof("openssl_verify")-1);
+@@ -1402,6 +1402,14 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t
+ } else {
+ ZVAL_EMPTY_STRING(&zp[0]);
+ }
++ if (sig_type == PHAR_SIG_OPENSSL_SHA512) {
++ ZVAL_LONG(&zp[3], 9); /* value from openssl.c #define OPENSSL_ALGO_SHA512 9 */
++ } else if (sig_type == PHAR_SIG_OPENSSL_SHA256) {
++ ZVAL_LONG(&zp[3], 7); /* value from openssl.c #define OPENSSL_ALGO_SHA256 7 */
++ } else {
++ /* don't rely on default value which may change in the future */
++ ZVAL_LONG(&zp[3], 1); /* value from openssl.c #define OPENSSL_ALGO_SHA1 1 */
++ }
+
+ if ((size_t)end != Z_STRLEN(zp[0])) {
+ zval_ptr_dtor_str(&zp[0]);
+@@ -1419,7 +1427,7 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t
+ return FAILURE;
+ }
+
+- fci.param_count = 3;
++ fci.param_count = 4;
+ fci.params = zp;
+ Z_ADDREF(zp[0]);
+ if (is_sign) {
+@@ -1482,12 +1490,22 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type,
+ php_stream_rewind(fp);
+
+ switch (sig_type) {
++ case PHAR_SIG_OPENSSL_SHA512:
++ case PHAR_SIG_OPENSSL_SHA256:
+ case PHAR_SIG_OPENSSL: {
+ #ifdef PHAR_HAVE_OPENSSL
+ BIO *in;
+ EVP_PKEY *key;
+- EVP_MD *mdtype = (EVP_MD *) EVP_sha1();
++ const EVP_MD *mdtype;
+ EVP_MD_CTX *md_ctx;
++
++ if (sig_type == PHAR_SIG_OPENSSL_SHA512) {
++ mdtype = EVP_sha512();
++ } else if (sig_type == PHAR_SIG_OPENSSL_SHA256) {
++ mdtype = EVP_sha256();
++ } else {
++ mdtype = EVP_sha1();
++ }
+ #else
+ size_t tempsig;
+ #endif
+@@ -1521,7 +1539,7 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type,
+ #ifndef PHAR_HAVE_OPENSSL
+ tempsig = sig_len;
+
+- if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, pubkey ? ZSTR_VAL(pubkey) : NULL, pubkey ? ZSTR_LEN(pubkey) : 0, &sig, &tempsig)) {
++ if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, pubkey ? ZSTR_VAL(pubkey) : NULL, pubkey ? ZSTR_LEN(pubkey) : 0, &sig, &tempsig, sig_type)) {
+ if (pubkey) {
+ zend_string_release_ex(pubkey, 0);
+ }
+@@ -1815,6 +1833,8 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat
+ *signature_length = 32;
+ break;
+ }
++ case PHAR_SIG_OPENSSL_SHA512:
++ case PHAR_SIG_OPENSSL_SHA256:
+ case PHAR_SIG_OPENSSL: {
+ unsigned char *sigbuf;
+ #ifdef PHAR_HAVE_OPENSSL
+@@ -1822,6 +1842,15 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat
+ BIO *in;
+ EVP_PKEY *key;
+ EVP_MD_CTX *md_ctx;
++ const EVP_MD *mdtype;
++
++ if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA512) {
++ mdtype = EVP_sha512();
++ } else if (phar->sig_flags == PHAR_SIG_OPENSSL_SHA256) {
++ mdtype = EVP_sha256();
++ } else {
++ mdtype = EVP_sha1();
++ }
+
+ in = BIO_new_mem_buf(PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len));
+
+@@ -1847,7 +1876,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat
+ siglen = EVP_PKEY_size(key);
+ sigbuf = emalloc(siglen + 1);
+
+- if (!EVP_SignInit(md_ctx, EVP_sha1())) {
++ if (!EVP_SignInit(md_ctx, mdtype)) {
+ EVP_PKEY_free(key);
+ efree(sigbuf);
+ if (error) {
+@@ -1885,7 +1914,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat
+ siglen = 0;
+ php_stream_seek(fp, 0, SEEK_END);
+
+- if (FAILURE == phar_call_openssl_signverify(1, fp, php_stream_tell(fp), PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len), (char **)&sigbuf, &siglen)) {
++ if (FAILURE == phar_call_openssl_signverify(1, fp, php_stream_tell(fp), PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len), (char **)&sigbuf, &siglen, phar->sig_flags)) {
+ if (error) {
+ spprintf(error, 0, "unable to write phar \"%s\" with requested openssl signature", phar->fname);
+ }
diff --git a/SOURCES/php-8.0.10-snmp-sha.patch b/SOURCES/php-8.0.10-snmp-sha.patch
new file mode 100644
index 0000000..3ef67ea
--- /dev/null
+++ b/SOURCES/php-8.0.10-snmp-sha.patch
@@ -0,0 +1,143 @@
+Backported for 8.0 from
+
+
+From 718e91343fddb8817a004f96f111c424843bf746 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Wed, 11 Aug 2021 13:02:18 +0200
+Subject: [PATCH] add SHA256 and SHA512 for security protocol
+
+---
+ ext/snmp/config.m4 | 18 +++++++++-
+ ext/snmp/snmp.c | 33 ++++++++++++++++++-
+ .../tests/snmp-object-setSecurity_error.phpt | 2 +-
+ ext/snmp/tests/snmp3-error.phpt | 2 +-
+ 4 files changed, 51 insertions(+), 4 deletions(-)
+
+diff --git a/ext/snmp/config.m4 b/ext/snmp/config.m4
+index 1475ddfe2b7f0..f285a572de9cb 100644
+--- a/ext/snmp/config.m4
++++ b/ext/snmp/config.m4
+@@ -30,7 +30,7 @@ if test "$PHP_SNMP" != "no"; then
+ AC_MSG_ERROR([Could not find the required paths. Please check your net-snmp installation.])
+ fi
+ else
+- AC_MSG_ERROR([Net-SNMP version 5.3 or greater reqired (detected $snmp_full_version).])
++ AC_MSG_ERROR([Net-SNMP version 5.3 or greater required (detected $snmp_full_version).])
+ fi
+ else
+ AC_MSG_ERROR([Could not find net-snmp-config binary. Please check your net-snmp installation.])
+@@ -54,6 +54,22 @@ if test "$PHP_SNMP" != "no"; then
+ $SNMP_SHARED_LIBADD
+ ])
+
++ dnl Check whether usmHMAC192SHA256AuthProtocol exists.
++ PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC192SHA256AuthProtocol,
++ [
++ AC_DEFINE(HAVE_SNMP_SHA256, 1, [ ])
++ ], [], [
++ $SNMP_SHARED_LIBADD
++ ])
++
++ dnl Check whether usmHMAC384SHA512AuthProtocol exists.
++ PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC384SHA512AuthProtocol,
++ [
++ AC_DEFINE(HAVE_SNMP_SHA512, 1, [ ])
++ ], [], [
++ $SNMP_SHARED_LIBADD
++ ])
++
+ PHP_NEW_EXTENSION(snmp, snmp.c, $ext_shared)
+ PHP_SUBST(SNMP_SHARED_LIBADD)
+ fi
+diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
+index 69d6549405b17..f0917501751f5 100644
+--- a/ext/snmp/snmp.c
++++ b/ext/snmp/snmp.c
+@@ -29,6 +29,7 @@
+ #include "php_snmp.h"
+
+ #include "zend_exceptions.h"
++#include "zend_smart_string.h"
+ #include "ext/spl/spl_exceptions.h"
+ #include "snmp_arginfo.h"
+
+@@ -938,16 +939,48 @@ static int netsnmp_session_set_auth_prot
+ if (!strcasecmp(prot, "MD5")) {
+ s->securityAuthProto = usmHMACMD5AuthProtocol;
+ s->securityAuthProtoLen = USM_AUTH_PROTO_MD5_LEN;
+- } else
++ return true;
++ }
+ #endif
++
+ if (!strcasecmp(prot, "SHA")) {
+ s->securityAuthProto = usmHMACSHA1AuthProtocol;
+ s->securityAuthProtoLen = USM_AUTH_PROTO_SHA_LEN;
+- } else {
+- zend_value_error("Authentication protocol must be either \"MD5\" or \"SHA\"");
+- return (-1);
++ return true;
+ }
+- return (0);
++
++#ifdef HAVE_SNMP_SHA256
++ if (!strcasecmp(prot, "SHA256")) {
++ s->securityAuthProto = usmHMAC192SHA256AuthProtocol;
++ s->securityAuthProtoLen = sizeof(usmHMAC192SHA256AuthProtocol) / sizeof(oid);
++ return true;
++ }
++#endif
++
++#ifdef HAVE_SNMP_SHA512
++ if (!strcasecmp(prot, "SHA512")) {
++ s->securityAuthProto = usmHMAC384SHA512AuthProtocol;
++ s->securityAuthProtoLen = sizeof(usmHMAC384SHA512AuthProtocol) / sizeof(oid);
++ return true;
++ }
++#endif
++
++ smart_string err = {0};
++
++ smart_string_appends(&err, "Authentication protocol must be \"SHA\"");
++#ifdef HAVE_SNMP_SHA256
++ smart_string_appends(&err, " or \"SHA256\"");
++#endif
++#ifdef HAVE_SNMP_SHA512
++ smart_string_appends(&err, " or \"SHA512\"");
++#endif
++#ifndef DISABLE_MD5
++ smart_string_appends(&err, " or \"MD5\"");
++#endif
++ smart_string_0(&err);
++ zend_value_error("%s", err.c);
++ smart_string_free(&err);
++ return false;
+ }
+ /* }}} */
+
+diff --git a/ext/snmp/tests/snmp-object-setSecurity_error.phpt b/ext/snmp/tests/snmp-object-setSecurity_error.phpt
+index f8de846492a75..cf4f928837773 100644
+--- a/ext/snmp/tests/snmp-object-setSecurity_error.phpt
++++ b/ext/snmp/tests/snmp-object-setSecurity_error.phpt
+@@ -59,7 +59,7 @@ var_dump($session->close());
+ --EXPECTF--
+ Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"
+ Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"
+-Authentication protocol must be either "MD5" or "SHA"
++Authentication protocol must be %s
+
+ Warning: SNMP::setSecurity(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d
+ bool(false)
+diff --git a/ext/snmp/tests/snmp3-error.phpt b/ext/snmp/tests/snmp3-error.phpt
+index 849e363b45058..389800dad6b28 100644
+--- a/ext/snmp/tests/snmp3-error.phpt
++++ b/ext/snmp/tests/snmp3-error.phpt
+@@ -58,7 +58,7 @@ try {
+ Checking error handling
+ Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"
+ Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"
+-Authentication protocol must be either "MD5" or "SHA"
++Authentication protocol must be %s
+
+ Warning: snmp3_get(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d
+ bool(false)
diff --git a/SOURCES/php-8.0.10-systzdata-v20.patch b/SOURCES/php-8.0.10-systzdata-v20.patch
new file mode 100644
index 0000000..5b0d84b
--- /dev/null
+++ b/SOURCES/php-8.0.10-systzdata-v20.patch
@@ -0,0 +1,660 @@
+# License: MIT
+# http://opensource.org/licenses/MIT
+
+Add support for use of the system timezone database, rather
+than embedding a copy. Discussed upstream but was not desired.
+
+History:
+r20: adapt for timelib 2020.03 (in 8.0.10RC1)
+r19: adapt for timelib 2020.02 (in 8.0.0beta2)
+r18: adapt for autotool change in 7.3.3RC1
+r17: adapt for timelib 2018.01 (in 7.3.2RC1)
+r16: adapt for timelib 2017.06 (in 7.2.3RC1)
+r15: adapt for timelib 2017.05beta7 (in 7.2.0RC1)
+r14: improve check for valid tz file
+r13: adapt for upstream changes to use PHP allocator
+r12: adapt for upstream changes for new zic
+r11: use canonical names to avoid more case sensitivity issues
+ round lat/long from zone.tab towards zero per builtin db
+r10: make timezone case insensitive
+r9: fix another compile error without --with-system-tzdata configured (Michael Heimpold)
+r8: fix compile error without --with-system-tzdata configured
+r7: improve check for valid timezone id to exclude directories
+r6: fix fd leak in r5, fix country code/BC flag use in
+ timezone_identifiers_list() using system db,
+ fix use of PECL timezonedb to override system db,
+r5: reverts addition of "System/Localtime" fake tzname.
+ updated for 5.3.0, parses zone.tab to pick up mapping between
+ timezone name, country code and long/lat coords
+r4: added "System/Localtime" tzname which uses /etc/localtime
+r3: fix a crash if /usr/share/zoneinfo doesn't exist (Raphael Geissert)
+r2: add filesystem trawl to set up name alias index
+r1: initial revision
+
+diff -up ./ext/date/config0.m4.systzdata ./ext/date/config0.m4
+--- ./ext/date/config0.m4.systzdata 2021-08-10 11:35:28.000000000 +0200
++++ ./ext/date/config0.m4 2021-08-10 12:09:41.067003517 +0200
+@@ -4,6 +4,19 @@ AC_CHECK_HEADERS([io.h])
+ dnl Check for strtoll, atoll
+ AC_CHECK_FUNCS(strtoll atoll)
+
++PHP_ARG_WITH(system-tzdata, for use of system timezone data,
++[ --with-system-tzdata[=DIR] to specify use of system timezone data],
++no, no)
++
++if test "$PHP_SYSTEM_TZDATA" != "no"; then
++ AC_DEFINE(HAVE_SYSTEM_TZDATA, 1, [Define if system timezone data is used])
++
++ if test "$PHP_SYSTEM_TZDATA" != "yes"; then
++ AC_DEFINE_UNQUOTED(HAVE_SYSTEM_TZDATA_PREFIX, "$PHP_SYSTEM_TZDATA",
++ [Define for location of system timezone data])
++ fi
++fi
++
+ PHP_DATE_CFLAGS="-I@ext_builddir@/lib -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -DHAVE_TIMELIB_CONFIG_H=1"
+ timelib_sources="lib/astro.c lib/dow.c lib/parse_date.c lib/parse_tz.c
+ lib/timelib.c lib/tm2unixtime.c lib/unixtime2tm.c lib/parse_iso_intervals.c lib/interval.c"
+diff -up ./ext/date/lib/parse_tz.c.systzdata ./ext/date/lib/parse_tz.c
+--- ./ext/date/lib/parse_tz.c.systzdata 2021-08-10 11:35:28.000000000 +0200
++++ ./ext/date/lib/parse_tz.c 2021-08-10 12:12:13.191605207 +0200
+@@ -26,8 +26,21 @@
+ #include "timelib.h"
+ #include "timelib_private.h"
+
++#ifdef HAVE_SYSTEM_TZDATA
++#include <sys/mman.h>
++#include <sys/stat.h>
++#include <limits.h>
++#include <fcntl.h>
++#include <unistd.h>
++
++#include "php_scandir.h"
++
++#else
+ #define TIMELIB_SUPPORTS_V2DATA
+ #include "timezonedb.h"
++#endif
++
++#include <ctype.h>
+
+ #if (defined(__APPLE__) || defined(__APPLE_CC__)) && (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__))
+ # if defined(__LITTLE_ENDIAN__)
+@@ -94,6 +107,11 @@ static int read_php_preamble(const unsig
+ {
+ uint32_t version;
+
++ if (memcmp(*tzf, "TZif", 4) == 0) {
++ *tzf += 20;
++ return 0;
++ }
++
+ /* read ID */
+ version = (*tzf)[3] - '0';
+ *tzf += 4;
+@@ -435,7 +453,429 @@ void timelib_dump_tzinfo(timelib_tzinfo
+ }
+ }
+
+-static int seek_to_tz_position(const unsigned char **tzf, const char *timezone, const timelib_tzdb *tzdb)
++#ifdef HAVE_SYSTEM_TZDATA
++
++#ifdef HAVE_SYSTEM_TZDATA_PREFIX
++#define ZONEINFO_PREFIX HAVE_SYSTEM_TZDATA_PREFIX
++#else
++#define ZONEINFO_PREFIX "/usr/share/zoneinfo"
++#endif
++
++/* System timezone database pointer. */
++static const timelib_tzdb *timezonedb_system;
++
++/* Hash table entry for the cache of the zone.tab mapping table. */
++struct location_info {
++ char code[2];
++ double latitude, longitude;
++ char name[64];
++ char *comment;
++ struct location_info *next;
++};
++
++/* Cache of zone.tab. */
++static struct location_info **system_location_table;
++
++/* Size of the zone.tab hash table; a random-ish prime big enough to
++ * prevent too many collisions. */
++#define LOCINFO_HASH_SIZE (1021)
++
++/* Compute a case insensitive hash of str */
++static uint32_t tz_hash(const char *str)
++{
++ const unsigned char *p = (const unsigned char *)str;
++ uint32_t hash = 5381;
++ int c;
++
++ while ((c = tolower(*p++)) != '\0') {
++ hash = (hash << 5) ^ hash ^ c;
++ }
++
++ return hash % LOCINFO_HASH_SIZE;
++}
++
++/* Parse an ISO-6709 date as used in zone.tab. Returns end of the
++ * parsed string on success, or NULL on parse error. On success,
++ * writes the parsed number to *result. */
++static char *parse_iso6709(char *p, double *result)
++{
++ double v, sign;
++ char *pend;
++ size_t len;
++
++ if (*p == '+')
++ sign = 1.0;
++ else if (*p == '-')
++ sign = -1.0;
++ else
++ return NULL;
++
++ p++;
++ for (pend = p; *pend >= '0' && *pend <= '9'; pend++)
++ ;;
++
++ /* Annoying encoding used by zone.tab has no decimal point, so use
++ * the length to determine the format:
++ *
++ * 4 = DDMM
++ * 5 = DDDMM
++ * 6 = DDMMSS
++ * 7 = DDDMMSS
++ */
++ len = pend - p;
++ if (len < 4 || len > 7) {
++ return NULL;
++ }
++
++ /* p => [D]DD */
++ v = (p[0] - '0') * 10.0 + (p[1] - '0');
++ p += 2;
++ if (len == 5 || len == 7)
++ v = v * 10.0 + (*p++ - '0');
++ /* p => MM[SS] */
++ v += (10.0 * (p[0] - '0')
++ + p[1] - '0') / 60.0;
++ p += 2;
++ /* p => [SS] */
++ if (len > 5) {
++ v += (10.0 * (p[0] - '0')
++ + p[1] - '0') / 3600.0;
++ p += 2;
++ }
++
++ /* Round to five decimal place, not because it's a good idea,
++ * but, because the builtin data uses rounded data, so, match
++ * that. */
++ *result = trunc(v * sign * 100000.0) / 100000.0;
++
++ return p;
++}
++
++/* This function parses the zone.tab file to build up the mapping of
++ * timezone to country code and geographic location, and returns a
++ * hash table. The hash table is indexed by the function:
++ *
++ * tz_hash(timezone-name)
++ */
++static struct location_info **create_location_table(void)
++{
++ struct location_info **li, *i;
++ char zone_tab[PATH_MAX];
++ char line[512];
++ FILE *fp;
++
++ strncpy(zone_tab, ZONEINFO_PREFIX "/zone.tab", sizeof zone_tab);
++
++ fp = fopen(zone_tab, "r");
++ if (!fp) {
++ return NULL;
++ }
++
++ li = calloc(LOCINFO_HASH_SIZE, sizeof *li);
++
++ while (fgets(line, sizeof line, fp)) {
++ char *p = line, *code, *name, *comment;
++ uint32_t hash;
++ double latitude, longitude;
++
++ while (isspace(*p))
++ p++;
++
++ if (*p == '#' || *p == '\0' || *p == '\n')
++ continue;
++
++ if (!isalpha(p[0]) || !isalpha(p[1]) || p[2] != '\t')
++ continue;
++
++ /* code => AA */
++ code = p;
++ p[2] = 0;
++ p += 3;
++
++ /* coords => [+-][D]DDMM[SS][+-][D]DDMM[SS] */
++ p = parse_iso6709(p, &latitude);
++ if (!p) {
++ continue;
++ }
++ p = parse_iso6709(p, &longitude);
++ if (!p) {
++ continue;
++ }
++
++ if (!p || *p != '\t') {
++ continue;
++ }
++
++ /* name = string */
++ name = ++p;
++ while (*p != '\t' && *p && *p != '\n')
++ p++;
++
++ *p++ = '\0';
++
++ /* comment = string */
++ comment = p;
++ while (*p != '\t' && *p && *p != '\n')
++ p++;
++
++ if (*p == '\n' || *p == '\t')
++ *p = '\0';
++
++ hash = tz_hash(name);
++ i = malloc(sizeof *i);
++ memcpy(i->code, code, 2);
++ strncpy(i->name, name, sizeof i->name);
++ i->comment = strdup(comment);
++ i->longitude = longitude;
++ i->latitude = latitude;
++ i->next = li[hash];
++ li[hash] = i;
++ /* printf("%s [%u, %f, %f]\n", name, hash, latitude, longitude); */
++ }
++
++ fclose(fp);
++
++ return li;
++}
++
++/* Return location info from hash table, using given timezone name.
++ * Returns NULL if the name could not be found. */
++const struct location_info *find_zone_info(struct location_info **li,
++ const char *name)
++{
++ uint32_t hash = tz_hash(name);
++ const struct location_info *l;
++
++ if (!li) {
++ return NULL;
++ }
++
++ for (l = li[hash]; l; l = l->next) {
++ if (timelib_strcasecmp(l->name, name) == 0)
++ return l;
++ }
++
++ return NULL;
++}
++
++/* Filter out some non-tzdata files and the posix/right databases, if
++ * present. */
++static int index_filter(const struct dirent *ent)
++{
++ return strcmp(ent->d_name, ".") != 0
++ && strcmp(ent->d_name, "..") != 0
++ && strcmp(ent->d_name, "posix") != 0
++ && strcmp(ent->d_name, "posixrules") != 0
++ && strcmp(ent->d_name, "right") != 0
++ && strstr(ent->d_name, ".list") == NULL
++ && strstr(ent->d_name, ".tab") == NULL;
++}
++
++static int sysdbcmp(const void *first, const void *second)
++{
++ const timelib_tzdb_index_entry *alpha = first, *beta = second;
++
++ return timelib_strcasecmp(alpha->id, beta->id);
++}
++
++
++/* Create the zone identifier index by trawling the filesystem. */
++static void create_zone_index(timelib_tzdb *db)
++{
++ size_t dirstack_size, dirstack_top;
++ size_t index_size, index_next;
++ timelib_tzdb_index_entry *db_index;
++ char **dirstack;
++
++ /* LIFO stack to hold directory entries to scan; each slot is a
++ * directory name relative to the zoneinfo prefix. */
++ dirstack_size = 32;
++ dirstack = malloc(dirstack_size * sizeof *dirstack);
++ dirstack_top = 1;
++ dirstack[0] = strdup("");
++
++ /* Index array. */
++ index_size = 64;
++ db_index = malloc(index_size * sizeof *db_index);
++ index_next = 0;
++
++ do {
++ struct dirent **ents;
++ char name[PATH_MAX], *top;
++ int count;
++
++ /* Pop the top stack entry, and iterate through its contents. */
++ top = dirstack[--dirstack_top];
++ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s", top);
++
++ count = php_scandir(name, &ents, index_filter, php_alphasort);
++
++ while (count > 0) {
++ struct stat st;
++ const char *leaf = ents[count - 1]->d_name;
++
++ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s/%s",
++ top, leaf);
++
++ if (strlen(name) && stat(name, &st) == 0) {
++ /* Name, relative to the zoneinfo prefix. */
++ const char *root = top;
++
++ if (root[0] == '/') root++;
++
++ snprintf(name, sizeof name, "%s%s%s", root,
++ *root ? "/": "", leaf);
++
++ if (S_ISDIR(st.st_mode)) {
++ if (dirstack_top == dirstack_size) {
++ dirstack_size *= 2;
++ dirstack = realloc(dirstack,
++ dirstack_size * sizeof *dirstack);
++ }
++ dirstack[dirstack_top++] = strdup(name);
++ }
++ else {
++ if (index_next == index_size) {
++ index_size *= 2;
++ db_index = realloc(db_index,
++ index_size * sizeof *db_index);
++ }
++
++ db_index[index_next++].id = strdup(name);
++ }
++ }
++
++ free(ents[--count]);
++ }
++
++ if (count != -1) free(ents);
++ free(top);
++ } while (dirstack_top);
++
++ qsort(db_index, index_next, sizeof *db_index, sysdbcmp);
++
++ db->index = db_index;
++ db->index_size = index_next;
++
++ free(dirstack);
++}
++
++#define FAKE_HEADER "1234\0??\1??"
++#define FAKE_UTC_POS (7 - 4)
++
++/* Create a fake data segment for database 'sysdb'. */
++static void fake_data_segment(timelib_tzdb *sysdb,
++ struct location_info **info)
++{
++ size_t n;
++ char *data, *p;
++
++ data = malloc(3 * sysdb->index_size + 7);
++
++ p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1);
++
++ for (n = 0; n < sysdb->index_size; n++) {
++ const struct location_info *li;
++ timelib_tzdb_index_entry *ent;
++
++ ent = (timelib_tzdb_index_entry *)&sysdb->index[n];
++
++ /* Lookup the timezone name in the hash table. */
++ if (strcmp(ent->id, "UTC") == 0) {
++ ent->pos = FAKE_UTC_POS;
++ continue;
++ }
++
++ li = find_zone_info(info, ent->id);
++ if (li) {
++ /* If found, append the BC byte and the
++ * country code; set the position for this
++ * section of timezone data. */
++ ent->pos = (p - data) - 4;
++ *p++ = '\1';
++ *p++ = li->code[0];
++ *p++ = li->code[1];
++ }
++ else {
++ /* If not found, the timezone data can
++ * point at the header. */
++ ent->pos = 0;
++ }
++ }
++
++ sysdb->data = (unsigned char *)data;
++}
++
++/* Returns true if the passed-in stat structure describes a
++ * probably-valid timezone file. */
++static int is_valid_tzfile(const struct stat *st, int fd)
++{
++ if (fd) {
++ char buf[20];
++ if (read(fd, buf, 20)!=20) {
++ return 0;
++ }
++ lseek(fd, SEEK_SET, 0);
++ if (memcmp(buf, "TZif", 4)) {
++ return 0;
++ }
++ }
++ return S_ISREG(st->st_mode) && st->st_size > 20;
++}
++
++/* To allow timezone names to be used case-insensitively, find the
++ * canonical name for this timezone, if possible. */
++static const char *canonical_tzname(const char *timezone)
++{
++ if (timezonedb_system) {
++ timelib_tzdb_index_entry *ent, lookup;
++
++ lookup.id = (char *)timezone;
++
++ ent = bsearch(&lookup, timezonedb_system->index,
++ timezonedb_system->index_size, sizeof lookup,
++ sysdbcmp);
++ if (ent) {
++ return ent->id;
++ }
++ }
++
++ return timezone;
++}
++
++/* Return the mmap()ed tzfile if found, else NULL. On success, the
++ * length of the mapped data is placed in *length. */
++static char *map_tzfile(const char *timezone, size_t *length)
++{
++ char fname[PATH_MAX];
++ struct stat st;
++ char *p;
++ int fd;
++
++ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) {
++ return NULL;
++ }
++
++ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone));
++
++ fd = open(fname, O_RDONLY);
++ if (fd == -1) {
++ return NULL;
++ } else if (fstat(fd, &st) != 0 || !is_valid_tzfile(&st, fd)) {
++ close(fd);
++ return NULL;
++ }
++
++ *length = st.st_size;
++ p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0);
++ close(fd);
++
++ return p != MAP_FAILED ? p : NULL;
++}
++
++#endif
++
++static int inmem_seek_to_tz_position(const unsigned char **tzf, const char *timezone, const timelib_tzdb *tzdb)
+ {
+ int left = 0, right = tzdb->index_size - 1;
+
+@@ -461,9 +901,48 @@ static int seek_to_tz_position(const uns
+ return 0;
+ }
+
++static int seek_to_tz_position(const unsigned char **tzf, const char *timezone,
++ char **map, size_t *maplen,
++ const timelib_tzdb *tzdb)
++{
++#ifdef HAVE_SYSTEM_TZDATA
++ if (tzdb == timezonedb_system) {
++ char *orig;
++
++ orig = map_tzfile(timezone, maplen);
++ if (orig == NULL) {
++ return 0;
++ }
++
++ (*tzf) = (unsigned char *)orig;
++ *map = orig;
++ return 1;
++ }
++ else
++#endif
++ {
++ return inmem_seek_to_tz_position(tzf, timezone, tzdb);
++ }
++}
++
+ const timelib_tzdb *timelib_builtin_db(void)
+ {
++#ifdef HAVE_SYSTEM_TZDATA
++ if (timezonedb_system == NULL) {
++ timelib_tzdb *tmp = malloc(sizeof *tmp);
++
++ tmp->version = "0.system";
++ tmp->data = NULL;
++ create_zone_index(tmp);
++ system_location_table = create_location_table();
++ fake_data_segment(tmp, system_location_table);
++ timezonedb_system = tmp;
++ }
++
++ return timezonedb_system;
++#else
+ return &timezonedb_builtin;
++#endif
+ }
+
+ const timelib_tzdb_index_entry *timelib_timezone_identifiers_list(const timelib_tzdb *tzdb, int *count)
+@@ -475,7 +954,30 @@ const timelib_tzdb_index_entry *timelib_
+ int timelib_timezone_id_is_valid(const char *timezone, const timelib_tzdb *tzdb)
+ {
+ const unsigned char *tzf;
+- return (seek_to_tz_position(&tzf, timezone, tzdb));
++
++#ifdef HAVE_SYSTEM_TZDATA
++ if (tzdb == timezonedb_system) {
++ char fname[PATH_MAX];
++ struct stat st;
++
++ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) {
++ return 0;
++ }
++
++ if (system_location_table) {
++ if (find_zone_info(system_location_table, timezone) != NULL) {
++ /* found in cache */
++ return 1;
++ }
++ }
++
++ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone));
++
++ return stat(fname, &st) == 0 && is_valid_tzfile(&st, 0);
++ }
++#endif
++
++ return (inmem_seek_to_tz_position(&tzf, timezone, tzdb));
+ }
+
+ static int skip_64bit_preamble(const unsigned char **tzf, timelib_tzinfo *tz)
+@@ -517,6 +1019,8 @@ static timelib_tzinfo* timelib_tzinfo_ct
+ timelib_tzinfo *timelib_parse_tzfile(const char *timezone, const timelib_tzdb *tzdb, int *error_code)
+ {
+ const unsigned char *tzf;
++ char *memmap = NULL;
++ size_t maplen;
+ timelib_tzinfo *tmp;
+ int version;
+ int transitions_result, types_result;
+@@ -524,7 +1028,7 @@ timelib_tzinfo *timelib_parse_tzfile(con
+
+ *error_code = TIMELIB_ERROR_NO_ERROR;
+
+- if (seek_to_tz_position(&tzf, timezone, tzdb)) {
++ if (seek_to_tz_position(&tzf, timezone, &memmap, &maplen, tzdb)) {
+ tmp = timelib_tzinfo_ctor(timezone);
+
+ version = read_preamble(&tzf, tmp, &type);
+@@ -563,11 +1067,36 @@ timelib_tzinfo *timelib_parse_tzfile(con
+ }
+ skip_posix_string(&tzf, tmp);
+
++#ifdef HAVE_SYSTEM_TZDATA
++ if (memmap) {
++ const struct location_info *li;
++
++ /* TZif-style - grok the location info from the system database,
++ * if possible. */
++
++ if ((li = find_zone_info(system_location_table, timezone)) != NULL) {
++ tmp->location.comments = timelib_strdup(li->comment);
++ strncpy(tmp->location.country_code, li->code, 2);
++ tmp->location.longitude = li->longitude;
++ tmp->location.latitude = li->latitude;
++ tmp->bc = 1;
++ }
++ else {
++ set_default_location_and_comments(&tzf, tmp);
++ }
++
++ /* Now done with the mmap segment - discard it. */
++ munmap(memmap, maplen);
++ } else {
++#endif
+ if (type == TIMELIB_TZINFO_PHP) {
+ read_location(&tzf, tmp);
+ } else {
+ set_default_location_and_comments(&tzf, tmp);
+ }
++#ifdef HAVE_SYSTEM_TZDATA
++ }
++#endif
+ } else {
+ *error_code = TIMELIB_ERROR_NO_SUCH_TIMEZONE;
+ tmp = NULL;
diff --git a/SOURCES/php-8.0.13-crypt.patch b/SOURCES/php-8.0.13-crypt.patch
new file mode 100644
index 0000000..31a8c8a
--- /dev/null
+++ b/SOURCES/php-8.0.13-crypt.patch
@@ -0,0 +1,45 @@
+From fc4e31467c352032ee709ac55d3c67bc22abcd8d Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Fri, 15 Oct 2021 17:11:12 +0200
+Subject: [PATCH] add --with-external-libcrypt build option display an error
+ message if some algo not available in external libcrypt
+
+---
+ ext/standard/config.m4 | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/ext/standard/config.m4 b/ext/standard/config.m4
+index 58b9c5e658a4..3ec18be4d7df 100644
+--- a/ext/standard/config.m4
++++ b/ext/standard/config.m4
+@@ -267,14 +267,25 @@ int main() {
+ ])])
+
+
++PHP_ARG_WITH([external-libcrypt],
++ [for external libcrypt or libxcrypt],
++ [AS_HELP_STRING([--with-external-libcrypt],
++ [Use external libcrypt or libxcrypt])],
++ [no],
++ [no])
++
+ dnl
+ dnl If one of them is missing, use our own implementation, portable code is then possible
+ dnl
+-dnl TODO This is currently always enabled
+-if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "$ac_cv_crypt_md5" = "no" || test "$ac_cv_crypt_sha512" = "no" || test "$ac_cv_crypt_sha256" = "no" || test "$ac_cv_func_crypt_r" != "yes" || true; then
+- AC_DEFINE_UNQUOTED(PHP_USE_PHP_CRYPT_R, 1, [Whether PHP has to use its own crypt_r for blowfish, des, ext des and md5])
+-
+- PHP_ADD_SOURCES(PHP_EXT_DIR(standard), crypt_freesec.c crypt_blowfish.c crypt_sha512.c crypt_sha256.c php_crypt_r.c)
++dnl This is currently enabled by default
++if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "$ac_cv_crypt_md5" = "no" || test "$ac_cv_crypt_sha512" = "no" || test "$ac_cv_crypt_sha256" = "no" || test "$ac_cv_func_crypt_r" != "yes" || test "$PHP_EXTERNAL_LIBCRYPT" = "no"; then
++ if test "$PHP_EXTERNAL_LIBCRYPT" = "no"; then
++ AC_DEFINE_UNQUOTED(PHP_USE_PHP_CRYPT_R, 1, [Whether PHP has to use its own crypt_r for blowfish, des, ext des and md5])
++
++ PHP_ADD_SOURCES(PHP_EXT_DIR(standard), crypt_freesec.c crypt_blowfish.c crypt_sha512.c crypt_sha256.c php_crypt_r.c)
++ else
++ AC_MSG_ERROR([Cannot use external libcrypt as some algo are missing])
++ fi
+ else
+ AC_DEFINE_UNQUOTED(PHP_USE_PHP_CRYPT_R, 0, [Whether PHP has to use its own crypt_r for blowfish, des and ext des])
+ fi
diff --git a/SOURCES/php-8.0.13.tar.xz.asc b/SOURCES/php-8.0.13.tar.xz.asc
new file mode 100644
index 0000000..009e606
--- /dev/null
+++ b/SOURCES/php-8.0.13.tar.xz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJEBAABCgAuFiEEFyn4OTjaROJ7oPTT29s5dHDRIXIFAmGUGpcQHHBvbGxpdGFA
+cGhwLm5ldAAKCRDb2zl0cNEhcuMrD/9c6os7ZNv/cS5I3arv5jvMvogp+ROkHNcd
+NPB+JOjIDVOReKEWYImwhJv2/tD7VdItJTA7drHK8n419nGq0qywyyQuu6aRgUTF
+d2hE4+49fnQjcwZ+Bz/tM2maJ5jy0yZN6lkdBkO8lOXUAEqwPvdaZUl3mjrgPI5k
+MYXidRBvNcioNqHOVkYZ9wzsuGiN81TBU/MreEPBMcaht5agautVw9XMnqJ13pZB
+jnJxCgWUggvpu8KPKNCtTWOVlegkUqi13+GO6J9U2fEYb7be8edMXlTaJWXZkd9H
+VlKlN+/4eXvcRQxzhmxilDpZfYhvmivj/34r3Ox1JYBHS59VCFztMLl4+7cl7D/y
+z/L7U6xHlxW0O2xa6XM1SSUxxIRw8De+2FkFuWCWAkMxJefBqy+fb9jSGqB/gxys
+T2vQdMvswMp0LPmhYjwOyvNXc3TCvPIRxyvdtRqMaAe3IUqkA+B81QTB2kzNPJz3
+8L5t5FR5fLFuIgUGkdE7odStCakriJjsyNRAuSTzJ/X4UzMmUI7cMWpPuJ2PKzBl
+ecK6DB9wBGNQfm4mvlS1vtov4XDGPRmZNx+hnad8seJpGLQ/7kAwbw9XMcvPcOkU
+QfI8IZbSSF7et2Dwup8YrWRG8RrJY5MI4I5xGKYQD/WoygS9yLLrqy+kapo0ajYy
+0bqxeMLb9g==
+=+AGI
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/php-8.0.6-deprecated.patch b/SOURCES/php-8.0.6-deprecated.patch
new file mode 100644
index 0000000..1e6b93b
--- /dev/null
+++ b/SOURCES/php-8.0.6-deprecated.patch
@@ -0,0 +1,400 @@
+From 4dc8b3c0efaae25b08c8f59b068f17c97c59d0ae Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 5 May 2021 15:41:00 +0200
+Subject: [PATCH] get rid of inet_aton and inet_ntoa use inet_ntop iand
+ inet_pton where available standardize buffer size
+
+---
+ ext/sockets/sockaddr_conv.c | 4 ++++
+ ext/sockets/sockets.c | 48 +++++++++++++++++++++++++------------
+ ext/standard/dns.c | 16 ++++++++++++-
+ main/network.c | 20 ++++++++++++++--
+ 4 files changed, 70 insertions(+), 18 deletions(-)
+
+diff --git a/ext/sockets/sockaddr_conv.c b/ext/sockets/sockaddr_conv.c
+index 57996612d2d7e..65c8418fb3a6f 100644
+--- a/ext/sockets/sockaddr_conv.c
++++ b/ext/sockets/sockaddr_conv.c
+@@ -87,7 +87,11 @@ int php_set_inet_addr(struct sockaddr_in *sin, char *string, php_socket *php_soc
+ struct in_addr tmp;
+ struct hostent *host_entry;
+
++#ifdef HAVE_INET_PTON
++ if (inet_pton(AF_INET, string, &tmp)) {
++#else
+ if (inet_aton(string, &tmp)) {
++#endif
+ sin->sin_addr.s_addr = tmp.s_addr;
+ } else {
+ if (strlen(string) > MAXFQDNLEN || ! (host_entry = php_network_gethostbyname(string))) {
+diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
+index 16ad3e8013a4c..85c938d1b97b1 100644
+--- a/ext/sockets/sockets.c
++++ b/ext/sockets/sockets.c
+@@ -220,8 +220,10 @@ zend_module_entry sockets_module_entry = {
+ ZEND_GET_MODULE(sockets)
+ #endif
+
++#ifndef HAVE_INET_NTOP
+ /* inet_ntop should be used instead of inet_ntoa */
+ int inet_ntoa_lock = 0;
++#endif
+
+ static int php_open_listen_sock(php_socket *sock, int port, int backlog) /* {{{ */
+ {
+@@ -1082,10 +1084,12 @@ PHP_FUNCTION(socket_getsockname)
+ struct sockaddr_in *sin;
+ #if HAVE_IPV6
+ struct sockaddr_in6 *sin6;
+- char addr6[INET6_ADDRSTRLEN+1];
++#endif
++#ifdef HAVE_INET_NTOP
++ char addrbuf[INET6_ADDRSTRLEN];
+ #endif
+ struct sockaddr_un *s_un;
+- char *addr_string;
++ const char *addr_string;
+ socklen_t salen = sizeof(php_sockaddr_storage);
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oz|z", &arg1, socket_ce, &addr, &port) == FAILURE) {
+@@ -1106,8 +1110,8 @@ PHP_FUNCTION(socket_getsockname)
+ #if HAVE_IPV6
+ case AF_INET6:
+ sin6 = (struct sockaddr_in6 *) sa;
+- inet_ntop(AF_INET6, &sin6->sin6_addr, addr6, INET6_ADDRSTRLEN);
+- ZEND_TRY_ASSIGN_REF_STRING(addr, addr6);
++ inet_ntop(AF_INET6, &sin6->sin6_addr, addrbuf, sizeof(addrbuf));
++ ZEND_TRY_ASSIGN_REF_STRING(addr, addrbuf);
+
+ if (port != NULL) {
+ ZEND_TRY_ASSIGN_REF_LONG(port, htons(sin6->sin6_port));
+@@ -1117,11 +1121,14 @@ PHP_FUNCTION(socket_getsockname)
+ #endif
+ case AF_INET:
+ sin = (struct sockaddr_in *) sa;
++#ifdef HAVE_INET_NTOP
++ addr_string = inet_ntop(AF_INET, &sin->sin_addr, addrbuf, sizeof(addrbuf));
++#else
+ while (inet_ntoa_lock == 1);
+ inet_ntoa_lock = 1;
+ addr_string = inet_ntoa(sin->sin_addr);
+ inet_ntoa_lock = 0;
+-
++#endif
+ ZEND_TRY_ASSIGN_REF_STRING(addr, addr_string);
+
+ if (port != NULL) {
+@@ -1154,10 +1161,12 @@ PHP_FUNCTION(socket_getpeername)
+ struct sockaddr_in *sin;
+ #if HAVE_IPV6
+ struct sockaddr_in6 *sin6;
+- char addr6[INET6_ADDRSTRLEN+1];
++#endif
++#ifdef HAVE_INET_NTOP
++ char addrbuf[INET6_ADDRSTRLEN];
+ #endif
+ struct sockaddr_un *s_un;
+- char *addr_string;
++ const char *addr_string;
+ socklen_t salen = sizeof(php_sockaddr_storage);
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oz|z", &arg1, socket_ce, &arg2, &arg3) == FAILURE) {
+@@ -1178,9 +1187,9 @@ PHP_FUNCTION(socket_getpeername)
+ #if HAVE_IPV6
+ case AF_INET6:
+ sin6 = (struct sockaddr_in6 *) sa;
+- inet_ntop(AF_INET6, &sin6->sin6_addr, addr6, INET6_ADDRSTRLEN);
++ inet_ntop(AF_INET6, &sin6->sin6_addr, addrbuf, sizeof(addrbuf));
+
+- ZEND_TRY_ASSIGN_REF_STRING(arg2, addr6);
++ ZEND_TRY_ASSIGN_REF_STRING(arg2, addrbuf);
+
+ if (arg3 != NULL) {
+ ZEND_TRY_ASSIGN_REF_LONG(arg3, htons(sin6->sin6_port));
+@@ -1191,11 +1200,14 @@ PHP_FUNCTION(socket_getpeername)
+ #endif
+ case AF_INET:
+ sin = (struct sockaddr_in *) sa;
++#ifdef HAVE_INET_NTOP
++ addr_string = inet_ntop(AF_INET, &sin->sin_addr, addrbuf, sizeof(addrbuf));
++#else
+ while (inet_ntoa_lock == 1);
+ inet_ntoa_lock = 1;
+ addr_string = inet_ntoa(sin->sin_addr);
+ inet_ntoa_lock = 0;
+-
++#endif
+ ZEND_TRY_ASSIGN_REF_STRING(arg2, addr_string);
+
+ if (arg3 != NULL) {
+@@ -1527,12 +1539,14 @@ PHP_FUNCTION(socket_recvfrom)
+ struct sockaddr_in sin;
+ #if HAVE_IPV6
+ struct sockaddr_in6 sin6;
+- char addr6[INET6_ADDRSTRLEN];
++#endif
++#ifdef HAVE_INET_NTOP
++ char addrbuf[INET6_ADDRSTRLEN];
+ #endif
+ socklen_t slen;
+ int retval;
+ zend_long arg3, arg4;
+- char *address;
++ const char *address;
+ zend_string *recv_buf;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "Ozllz|z", &arg1, socket_ce, &arg2, &arg3, &arg4, &arg5, &arg6) == FAILURE) {
+@@ -1590,7 +1604,11 @@ PHP_FUNCTION(socket_recvfrom)
+ ZSTR_LEN(recv_buf) = retval;
+ ZSTR_VAL(recv_buf)[ZSTR_LEN(recv_buf)] = '\0';
+
++#ifdef HAVE_INET_NTOP
++ address = inet_ntop(AF_INET, &sin.sin_addr, addrbuf, sizeof(addrbuf));
++#else
+ address = inet_ntoa(sin.sin_addr);
++#endif
+
+ ZEND_TRY_ASSIGN_REF_NEW_STR(arg2, recv_buf);
+ ZEND_TRY_ASSIGN_REF_STRING(arg5, address ? address : "0.0.0.0");
+@@ -1617,11 +1635,11 @@ PHP_FUNCTION(socket_recvfrom)
+ ZSTR_LEN(recv_buf) = retval;
+ ZSTR_VAL(recv_buf)[ZSTR_LEN(recv_buf)] = '\0';
+
+- memset(addr6, 0, INET6_ADDRSTRLEN);
+- inet_ntop(AF_INET6, &sin6.sin6_addr, addr6, INET6_ADDRSTRLEN);
++ memset(addrbuf, 0, INET6_ADDRSTRLEN);
++ inet_ntop(AF_INET6, &sin6.sin6_addr, addrbuf, sizeof(addrbuf));
+
+ ZEND_TRY_ASSIGN_REF_NEW_STR(arg2, recv_buf);
+- ZEND_TRY_ASSIGN_REF_STRING(arg5, addr6[0] ? addr6 : "::");
++ ZEND_TRY_ASSIGN_REF_STRING(arg5, addrbuf[0] ? addrbuf : "::");
+ ZEND_TRY_ASSIGN_REF_LONG(arg6, ntohs(sin6.sin6_port));
+ break;
+ #endif
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index 41b98424edb60..6efdbbe894b46 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -228,6 +228,9 @@ PHP_FUNCTION(gethostbynamel)
+ struct hostent *hp;
+ struct in_addr in;
+ int i;
++#ifdef HAVE_INET_NTOP
++ char addr4[INET_ADDRSTRLEN];
++#endif
+
+ ZEND_PARSE_PARAMETERS_START(1, 1)
+ Z_PARAM_PATH(hostname, hostname_len)
+@@ -255,7 +258,11 @@ PHP_FUNCTION(gethostbynamel)
+ }
+
+ in = *h_addr_entry;
++#ifdef HAVE_INET_NTOP
++ add_next_index_string(return_value, inet_ntop(AF_INET, &in, addr4, INET_ADDRSTRLEN));
++#else
+ add_next_index_string(return_value, inet_ntoa(in));
++#endif
+ }
+ }
+ /* }}} */
+@@ -266,7 +273,10 @@ static zend_string *php_gethostbyname(char *name)
+ struct hostent *hp;
+ struct in_addr *h_addr_0; /* Don't call this h_addr, it's a macro! */
+ struct in_addr in;
+- char *address;
++#ifdef HAVE_INET_NTOP
++ char addr4[INET_ADDRSTRLEN];
++#endif
++ const char *address;
+
+ hp = php_network_gethostbyname(name);
+ if (!hp) {
+@@ -281,7 +291,11 @@ static zend_string *php_gethostbyname(char *name)
+
+ memcpy(&in.s_addr, h_addr_0, sizeof(in.s_addr));
+
++#ifdef HAVE_INET_NTOP
++ address = inet_ntop(AF_INET, &in, addr4, INET_ADDRSTRLEN);
++#else
+ address = inet_ntoa(in);
++#endif
+ return zend_string_init(address, strlen(address), 0);
+ }
+ /* }}} */
+diff --git a/main/network.c b/main/network.c
+index 2c504952b2dd1..7f2f714ec42df 100644
+--- a/main/network.c
++++ b/main/network.c
+@@ -236,8 +236,12 @@ PHPAPI int php_network_getaddresses(const char *host, int socktype, struct socka
+ } while ((sai = sai->ai_next) != NULL);
+
+ freeaddrinfo(res);
++#else
++#ifdef HAVE_INET_PTON
++ if (!inet_pton(AF_INET, host, &in)) {
+ #else
+ if (!inet_aton(host, &in)) {
++#endif
+ if(strlen(host) > MAXFQDNLEN) {
+ host_info = NULL;
+ errno = E2BIG;
+@@ -555,7 +559,11 @@ PHPAPI int php_network_parse_network_address_with_port(const char *addr, zend_lo
+ goto out;
+ }
+ #endif
++#ifdef HAVE_INET_PTON
++ if (inet_pton(AF_INET, tmp, &in4->sin_addr) > 0) {
++#else
+ if (inet_aton(tmp, &in4->sin_addr) > 0) {
++#endif
+ in4->sin_port = htons(port);
+ in4->sin_family = AF_INET;
+ *sl = sizeof(struct sockaddr_in);
+@@ -617,15 +625,19 @@ PHPAPI void php_network_populate_name_from_sockaddr(
+ }
+
+ if (textaddr) {
+-#if HAVE_IPV6 && HAVE_INET_NTOP
++#ifdef HAVE_INET_NTOP
+ char abuf[256];
+ #endif
+- char *buf = NULL;
++ const char *buf = NULL;
+
+ switch (sa->sa_family) {
+ case AF_INET:
+ /* generally not thread safe, but it *is* thread safe under win32 */
++#ifdef HAVE_INET_NTOP
++ buf = inet_ntop(AF_INET, &((struct sockaddr_in*)sa)->sin_addr, (char *)&abuf, sizeof(abuf));
++#else
+ buf = inet_ntoa(((struct sockaddr_in*)sa)->sin_addr);
++#endif
+ if (buf) {
+ *textaddr = strpprintf(0, "%s:%d",
+ buf, ntohs(((struct sockaddr_in*)sa)->sin_port));
+@@ -862,7 +874,11 @@ php_socket_t php_network_connect_socket_to_host(const char *host, unsigned short
+
+ in4->sin_family = sa->sa_family;
+ in4->sin_port = htons(bindport);
++#ifdef HAVE_INET_PTON
++ if (!inet_pton(AF_INET, bindto, &in4->sin_addr)) {
++#else
+ if (!inet_aton(bindto, &in4->sin_addr)) {
++#endif
+ php_error_docref(NULL, E_WARNING, "Invalid IP Address: %s", bindto);
+ goto skip_bind;
+ }
+From e5b6f43ec7813392d83ea586b7902e0396a1f792 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 6 May 2021 14:21:29 +0200
+Subject: [PATCH] get rid of inet_addr usage
+
+---
+ main/fastcgi.c | 4 ++++
+ sapi/litespeed/lsapilib.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/main/fastcgi.c b/main/fastcgi.c
+index 071f69d3a7f0..c936d42405de 100644
+--- a/main/fastcgi.c
++++ b/main/fastcgi.c
+@@ -688,8 +688,12 @@ int fcgi_listen(const char *path, int backlog)
+ if (!*host || !strncmp(host, "*", sizeof("*")-1)) {
+ sa.sa_inet.sin_addr.s_addr = htonl(INADDR_ANY);
+ } else {
++#ifdef HAVE_INET_PTON
++ if (!inet_pton(AF_INET, host, &sa.sa_inet.sin_addr)) {
++#else
+ sa.sa_inet.sin_addr.s_addr = inet_addr(host);
+ if (sa.sa_inet.sin_addr.s_addr == INADDR_NONE) {
++#endif
+ struct hostent *hep;
+
+ if(strlen(host) > MAXFQDNLEN) {
+diff --git a/sapi/litespeed/lsapilib.c b/sapi/litespeed/lsapilib.c
+index a72b5dc1b988..305f3326a682 100644
+--- a/sapi/litespeed/lsapilib.c
++++ b/sapi/litespeed/lsapilib.c
+@@ -2672,8 +2672,12 @@ int LSAPI_ParseSockAddr( const char * pBind, struct sockaddr * pAddr )
+ ((struct sockaddr_in *)pAddr)->sin_addr.s_addr = htonl( INADDR_LOOPBACK );
+ else
+ {
++#ifdef HAVE_INET_PTON
++ if (!inet_pton(AF_INET, p, &((struct sockaddr_in *)pAddr)->sin_addr))
++#else
+ ((struct sockaddr_in *)pAddr)->sin_addr.s_addr = inet_addr( p );
+ if ( ((struct sockaddr_in *)pAddr)->sin_addr.s_addr == INADDR_BROADCAST)
++#endif
+ {
+ doAddrInfo = 1;
+ }
+From 99d67d121acd4c324738509679d23acaf759d065 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 6 May 2021 16:35:48 +0200
+Subject: [PATCH] use getnameinfo instead of gethostbyaddr
+
+---
+ ext/standard/dns.c | 34 ++++++++++++++++++++++------------
+ 1 file changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index edd9a4549f5c..540c777faaba 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -169,20 +169,30 @@ PHP_FUNCTION(gethostbyaddr)
+ static zend_string *php_gethostbyaddr(char *ip)
+ {
+ #if HAVE_IPV6 && HAVE_INET_PTON
+- struct in6_addr addr6;
+-#endif
+- struct in_addr addr;
+- struct hostent *hp;
++ struct sockaddr_in sa4;
++ struct sockaddr_in6 sa6;
++ char out[NI_MAXHOST];
+
+-#if HAVE_IPV6 && HAVE_INET_PTON
+- if (inet_pton(AF_INET6, ip, &addr6)) {
+- hp = gethostbyaddr((char *) &addr6, sizeof(addr6), AF_INET6);
+- } else if (inet_pton(AF_INET, ip, &addr)) {
+- hp = gethostbyaddr((char *) &addr, sizeof(addr), AF_INET);
+- } else {
+- return NULL;
++ if (inet_pton(AF_INET6, ip, &sa6.sin6_addr)) {
++ sa6.sin6_family = AF_INET6;
++
++ if (getnameinfo((struct sockaddr *)&sa6, sizeof(sa6), out, sizeof(out), NULL, 0, NI_NAMEREQD) < 0) {
++ return zend_string_init(ip, strlen(ip), 0);
++ }
++ return zend_string_init(out, strlen(out), 0);
++ } else if (inet_pton(AF_INET, ip, &sa4.sin_addr)) {
++ sa4.sin_family = AF_INET;
++
++ if (getnameinfo((struct sockaddr *)&sa4, sizeof(sa4), out, sizeof(out), NULL, 0, NI_NAMEREQD) < 0) {
++ return zend_string_init(ip, strlen(ip), 0);
++ }
++ return zend_string_init(out, strlen(out), 0);
+ }
++ return NULL; /* not a valid IP */
+ #else
++ struct in_addr addr;
++ struct hostent *hp;
++
+ addr.s_addr = inet_addr(ip);
+
+ if (addr.s_addr == -1) {
+@@ -190,13 +200,13 @@ static zend_string *php_gethostbyaddr(char *ip)
+ }
+
+ hp = gethostbyaddr((char *) &addr, sizeof(addr), AF_INET);
+-#endif
+
+ if (!hp || hp->h_name == NULL || hp->h_name[0] == '\0') {
+ return zend_string_init(ip, strlen(ip), 0);
+ }
+
+ return zend_string_init(hp->h_name, strlen(hp->h_name), 0);
++#endif
+ }
+ /* }}} */
+
diff --git a/SOURCES/php-fpm-www.conf b/SOURCES/php-fpm-www.conf
new file mode 100644
index 0000000..7294d39
--- /dev/null
+++ b/SOURCES/php-fpm-www.conf
@@ -0,0 +1,438 @@
+; Start a new pool named 'www'.
+; the variable $pool can be used in any directive and will be replaced by the
+; pool name ('www' here)
+[www]
+
+; Per pool prefix
+; It only applies on the following directives:
+; - 'access.log'
+; - 'slowlog'
+; - 'listen' (unixsocket)
+; - 'chroot'
+; - 'chdir'
+; - 'php_values'
+; - 'php_admin_values'
+; When not set, the global prefix (or @php_fpm_prefix@) applies instead.
+; Note: This directive can also be relative to the global prefix.
+; Default Value: none
+;prefix = /path/to/pools/$pool
+
+; Unix user/group of processes
+; Note: The user is mandatory. If the group is not set, the default user's group
+; will be used.
+; RPM: apache user chosen to provide access to the same directories as httpd
+user = apache
+; RPM: Keep a group allowed to write in log dir.
+group = apache
+
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
+; a specific port;
+; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+; a specific port;
+; 'port' - to listen on a TCP socket to all addresses
+; (IPv6 and IPv4-mapped) on a specific port;
+; '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+listen = /run/php-fpm/www.sock
+
+; Set listen(2) backlog.
+; Default Value: 511
+;listen.backlog = 511
+
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server.
+; Default Values: user and group are set as the running user
+; mode is set to 0660
+;listen.owner = nobody
+;listen.group = nobody
+;listen.mode = 0660
+
+; When POSIX Access Control Lists are supported you can set them using
+; these options, value is a comma separated list of user/group names.
+; When set, listen.owner and listen.group are ignored
+listen.acl_users = apache,nginx
+;listen.acl_groups =
+
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
+; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
+; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
+; must be separated by a comma. If this value is left blank, connections will be
+; accepted from any ip address.
+; Default Value: any
+listen.allowed_clients = 127.0.0.1
+
+; Specify the nice(2) priority to apply to the pool processes (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+; - The pool processes will inherit the master process priority
+; unless it specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
+; or group is differrent than the master process user. It allows to create process
+; core dump and ptrace the process for the pool user.
+; Default Value: no
+; process.dumpable = yes
+
+; Choose how the process manager will control the number of child processes.
+; Possible Values:
+; static - a fixed number (pm.max_children) of child processes;
+; dynamic - the number of child processes are set dynamically based on the
+; following directives. With this process management, there will be
+; always at least 1 children.
+; pm.max_children - the maximum number of children that can
+; be alive at the same time.
+; pm.start_servers - the number of children created on startup.
+; pm.min_spare_servers - the minimum number of children in 'idle'
+; state (waiting to process). If the number
+; of 'idle' processes is less than this
+; number then some children will be created.
+; pm.max_spare_servers - the maximum number of children in 'idle'
+; state (waiting to process). If the number
+; of 'idle' processes is greater than this
+; number then some children will be killed.
+; ondemand - no children are created at startup. Children will be forked when
+; new requests will connect. The following parameter are used:
+; pm.max_children - the maximum number of children that
+; can be alive at the same time.
+; pm.process_idle_timeout - The number of seconds after which
+; an idle process will be killed.
+; Note: This value is mandatory.
+pm = dynamic
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = 50
+
+; The number of child processes created on startup.
+; Note: Used only when pm is set to 'dynamic'
+; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
+pm.start_servers = 5
+
+; The desired minimum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.min_spare_servers = 5
+
+; The desired maximum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.max_spare_servers = 35
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+;pm.process_idle_timeout = 10s;
+
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+;pm.max_requests = 500
+
+; The URI to view the FPM status page. If this value is not set, no URI will be
+; recognized as a status page. It shows the following informations:
+; pool - the name of the pool;
+; process manager - static, dynamic or ondemand;
+; start time - the date and time FPM has started;
+; start since - number of seconds since FPM has started;
+; accepted conn - the number of request accepted by the pool;
+; listen queue - the number of request in the queue of pending
+; connections (see backlog in listen(2));
+; max listen queue - the maximum number of requests in the queue
+; of pending connections since FPM has started;
+; listen queue len - the size of the socket queue of pending connections;
+; idle processes - the number of idle processes;
+; active processes - the number of active processes;
+; total processes - the number of idle + active processes;
+; max active processes - the maximum number of active processes since FPM
+; has started;
+; max children reached - number of times, the process limit has been reached,
+; when pm tries to start more children (works only for
+; pm 'dynamic' and 'ondemand');
+; Value are updated in real time.
+; Example output:
+; pool: www
+; process manager: static
+; start time: 01/Jul/2011:17:53:49 +0200
+; start since: 62636
+; accepted conn: 190460
+; listen queue: 0
+; max listen queue: 1
+; listen queue len: 42
+; idle processes: 4
+; active processes: 11
+; total processes: 15
+; max active processes: 12
+; max children reached: 0
+;
+; By default the status page output is formatted as text/plain. Passing either
+; 'html', 'xml' or 'json' in the query string will return the corresponding
+; output syntax. Example:
+; http://www.foo.bar/status
+; http://www.foo.bar/status?json
+; http://www.foo.bar/status?html
+; http://www.foo.bar/status?xml
+;
+; By default the status page only outputs short status. Passing 'full' in the
+; query string will also return status for each pool process.
+; Example:
+; http://www.foo.bar/status?full
+; http://www.foo.bar/status?json&full
+; http://www.foo.bar/status?html&full
+; http://www.foo.bar/status?xml&full
+; The Full status returns for each process:
+; pid - the PID of the process;
+; state - the state of the process (Idle, Running, ...);
+; start time - the date and time the process has started;
+; start since - the number of seconds since the process has started;
+; requests - the number of requests the process has served;
+; request duration - the duration in µs of the requests;
+; request method - the request method (GET, POST, ...);
+; request URI - the request URI with the query string;
+; content length - the content length of the request (only with POST);
+; user - the user (PHP_AUTH_USER) (or '-' if not set);
+; script - the main script called (or '-' if not set);
+; last request cpu - the %cpu the last request consumed
+; it's always 0 if the process is not in Idle state
+; because CPU calculation is done when the request
+; processing has terminated;
+; last request memory - the max amount of memory the last request consumed
+; it's always 0 if the process is not in Idle state
+; because memory calculation is done when the request
+; processing has terminated;
+; If the process is in Idle state, then informations are related to the
+; last request the process has served. Otherwise informations are related to
+; the current request being served.
+; Example output:
+; ************************
+; pid: 31330
+; state: Running
+; start time: 01/Jul/2011:17:53:49 +0200
+; start since: 63087
+; requests: 12808
+; request duration: 1250261
+; request method: GET
+; request URI: /test_mem.php?N=10000
+; content length: 0
+; user: -
+; script: /home/fat/web/docs/php/test_mem.php
+; last request cpu: 0.00
+; last request memory: 0
+;
+; Note: There is a real-time FPM status monitoring sample web page available
+; It's available in: @EXPANDED_DATADIR@/fpm/status.html
+;
+; Note: The value must start with a leading slash (/). The value can be
+; anything, but it may not be a good idea to use the .php extension or it
+; may conflict with a real PHP file.
+; Default Value: not set
+;pm.status_path = /status
+
+; The ping URI to call the monitoring page of FPM. If this value is not set, no
+; URI will be recognized as a ping page. This could be used to test from outside
+; that FPM is alive and responding, or to
+; - create a graph of FPM availability (rrd or such);
+; - remove a server from a group if it is not responding (load balancing);
+; - trigger alerts for the operating team (24/7).
+; Note: The value must start with a leading slash (/). The value can be
+; anything, but it may not be a good idea to use the .php extension or it
+; may conflict with a real PHP file.
+; Default Value: not set
+;ping.path = /ping
+
+; This directive may be used to customize the response of a ping request. The
+; response is formatted as text/plain with a 200 response code.
+; Default Value: pong
+;ping.response = pong
+
+; The access log file
+; Default: not set
+;access.log = log/$pool.access.log
+
+; The access log format.
+; The following syntax is allowed
+; %%: the '%' character
+; %C: %CPU used by the request
+; it can accept the following format:
+; - %{user}C for user CPU only
+; - %{system}C for system CPU only
+; - %{total}C for user + system CPU (default)
+; %d: time taken to serve the request
+; it can accept the following format:
+; - %{seconds}d (default)
+; - %{miliseconds}d
+; - %{mili}d
+; - %{microseconds}d
+; - %{micro}d
+; %e: an environment variable (same as $_ENV or $_SERVER)
+; it must be associated with embraces to specify the name of the env
+; variable. Some exemples:
+; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
+; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
+; %f: script filename
+; %l: content-length of the request (for POST request only)
+; %m: request method
+; %M: peak of memory allocated by PHP
+; it can accept the following format:
+; - %{bytes}M (default)
+; - %{kilobytes}M
+; - %{kilo}M
+; - %{megabytes}M
+; - %{mega}M
+; %n: pool name
+; %o: output header
+; it must be associated with embraces to specify the name of the header:
+; - %{Content-Type}o
+; - %{X-Powered-By}o
+; - %{Transfert-Encoding}o
+; - ....
+; %p: PID of the child that serviced the request
+; %P: PID of the parent of the child that serviced the request
+; %q: the query string
+; %Q: the '?' character if query string exists
+; %r: the request URI (without the query string, see %q and %Q)
+; %R: remote IP address
+; %s: status (response code)
+; %t: server time the request was received
+; it can accept a strftime(3) format:
+; %d/%b/%Y:%H:%M:%S %z (default)
+; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+; %T: time the log has been written (the request has finished)
+; it can accept a strftime(3) format:
+; %d/%b/%Y:%H:%M:%S %z (default)
+; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+; %u: remote user
+;
+; Default: "%R - %u %t \"%m %r\" %s"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+
+; The log file for slow requests
+; Default Value: not set
+; Note: slowlog is mandatory if request_slowlog_timeout is set
+slowlog = /var/log/php-fpm/www-slow.log
+
+; The timeout for serving a single request after which a PHP backtrace will be
+; dumped to the 'slowlog' file. A value of '0s' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_slowlog_timeout = 0
+
+; Depth of slow log stack trace.
+; Default Value: 20
+;request_slowlog_trace_depth = 20
+
+; The timeout for serving a single request after which the worker process will
+; be killed. This option should be used when the 'max_execution_time' ini option
+; does not stop script execution for some reason. A value of '0' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_terminate_timeout = 0
+
+; Set open file descriptor rlimit.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Chroot to this directory at the start. This value must be defined as an
+; absolute path. When this value is not set, chroot is not used.
+; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
+; of its subdirectories. If the pool prefix is not set, the global prefix
+; will be used instead.
+; Note: chrooting is a great security feature and should be used whenever
+; possible. However, all PHP paths will be relative to the chroot
+; (error_log, sessions.save_path, ...).
+; Default Value: not set
+;chroot =
+
+; Chdir to this directory at the start.
+; Note: relative path can be used.
+; Default Value: current directory or / when chroot
+;chdir = /var/www
+
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Note: on highloaded environement, this can cause some delay in the page
+; process time (several ms).
+; Default Value: no
+;catch_workers_output = yes
+
+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+;clear_env = no
+
+; Limits the extensions of the main script FPM will allow to parse. This can
+; prevent configuration mistakes on the web server side. You should only limit
+; FPM to .php extensions to prevent malicious users to use other extensions to
+; execute php code.
+; Note: set an empty value to allow all extensions.
+; Default Value: .php
+;security.limit_extensions = .php .php3 .php4 .php5 .php7
+
+; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
+; the current environment.
+; Default Value: clean env
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
+
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+; php_value/php_flag - you can set classic ini defines which can
+; be overwritten from PHP call 'ini_set'.
+; php_admin_value/php_admin_flag - these directives won't be overwritten by
+; PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or @prefix@)
+
+; Default Value: nothing is defined by default except the values in php.ini and
+; specified at startup with the -d argument
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
+;php_flag[display_errors] = off
+php_admin_value[error_log] = /var/log/php-fpm/www-error.log
+php_admin_flag[log_errors] = on
+;php_admin_value[memory_limit] = 128M
+
+; Set the following data paths to directories owned by the FPM process user.
+;
+; Do not change the ownership of existing system directories, if the process
+; user does not have write permission, create dedicated directories for this
+; purpose.
+;
+; See warning about choosing the location of these directories on your system
+; at http://php.net/session.save-path
+php_value[session.save_handler] = files
+php_value[session.save_path] = /var/lib/php/session
+php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
+;php_value[opcache.file_cache] = /var/lib/php/opcache
diff --git a/SOURCES/php-fpm.conf b/SOURCES/php-fpm.conf
new file mode 100644
index 0000000..53a07b6
--- /dev/null
+++ b/SOURCES/php-fpm.conf
@@ -0,0 +1,137 @@
+;;;;;;;;;;;;;;;;;;;;;
+; FPM Configuration ;
+;;;;;;;;;;;;;;;;;;;;;
+
+; All relative paths in this configuration file are relative to PHP's install
+; prefix.
+
+; Include one or more files. If glob(3) exists, it is used to include a bunch of
+; files from a glob(3) pattern. This directive can be used everywhere in the
+; file.
+include=/etc/php-fpm.d/*.conf
+
+;;;;;;;;;;;;;;;;;;
+; Global Options ;
+;;;;;;;;;;;;;;;;;;
+
+[global]
+; Pid file
+; Default Value: none
+pid = /run/php-fpm/php-fpm.pid
+
+; Error log file
+; If it's set to "syslog", log is sent to syslogd instead of being written
+; in a local file.
+; Default Value: /var/log/php-fpm.log
+error_log = /var/log/php-fpm/error.log
+
+; syslog_facility is used to specify what type of program is logging the
+; message. This lets syslogd specify that messages from different facilities
+; will be handled differently.
+; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
+; Default Value: daemon
+;syslog.facility = daemon
+
+; syslog_ident is prepended to every message. If you have multiple FPM
+; instances running on the same server, you can change the default value
+; which must suit common needs.
+; Default Value: php-fpm
+;syslog.ident = php-fpm
+
+; Log level
+; Possible Values: alert, error, warning, notice, debug
+; Default Value: notice
+;log_level = notice
+
+; Log limit on number of characters in the single line (log entry). If the
+; line is over the limit, it is wrapped on multiple lines. The limit is for
+; all logged characters including message prefix and suffix if present. However
+; the new line character does not count into it as it is present only when
+; logging to a file descriptor. It means the new line character is not present
+; when logging to syslog.
+; Default Value: 1024
+;log_limit = 4096
+
+; Log buffering specifies if the log line is buffered which means that the
+; line is written in a single write operation. If the value is false, then the
+; data is written directly into the file descriptor. It is an experimental
+; option that can potentionaly improve logging performance and memory usage
+; for some heavy logging scenarios. This option is ignored if logging to syslog
+; as it has to be always buffered.
+; Default value: yes
+;log_buffering = no
+
+; If this number of child processes exit with SIGSEGV or SIGBUS within the time
+; interval set by emergency_restart_interval then FPM will restart. A value
+; of '0' means 'Off'.
+; Default Value: 0
+;emergency_restart_threshold = 0
+
+; Interval of time used by emergency_restart_interval to determine when
+; a graceful restart will be initiated. This can be useful to work around
+; accidental corruptions in an accelerator's shared memory.
+; Available Units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0
+;emergency_restart_interval = 0
+
+; Time limit for child processes to wait for a reaction on signals from master.
+; Available units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0
+;process_control_timeout = 0
+
+; The maximum number of processes FPM will fork. This has been designed to control
+; the global number of processes when using dynamic PM within a lot of pools.
+; Use it with caution.
+; Note: A value of 0 indicates no limit
+; Default Value: 0
+;process.max = 128
+
+; Specify the nice(2) priority to apply to the master process (only if set)
+; The value can vary from -19 (highest priority) to 20 (lowest priority)
+; Note: - It will only work if the FPM master process is launched as root
+; - The pool process will inherit the master process priority
+; unless specified otherwise
+; Default Value: no set
+;process.priority = -19
+
+; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
+; Default Value: yes
+daemonize = yes
+
+; Set open file descriptor rlimit for the master process.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit for the master process.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Specify the event mechanism FPM will use. The following is available:
+; - select (any POSIX os)
+; - poll (any POSIX os)
+; - epoll (linux >= 2.5.44)
+; Default Value: not set (auto detection)
+;events.mechanism = epoll
+
+; When FPM is built with systemd integration, specify the interval,
+; in seconds, between health report notification to systemd.
+; Set to 0 to disable.
+; Available Units: s(econds), m(inutes), h(ours)
+; Default Unit: seconds
+; Default value: 10
+;systemd_interval = 10
+
+;;;;;;;;;;;;;;;;;;;;
+; Pool Definitions ;
+;;;;;;;;;;;;;;;;;;;;
+
+; Multiple pools of child processes may be started with different listening
+; ports and different management options. The name of the pool will be
+; used in logs and stats. There is no limitation on the number of pools which
+; FPM can handle. Your system will tell you anyway :)
+
+; See /etc/php-fpm.d/*.conf
+
diff --git a/SOURCES/php-fpm.logrotate b/SOURCES/php-fpm.logrotate
new file mode 100644
index 0000000..25f9feb
--- /dev/null
+++ b/SOURCES/php-fpm.logrotate
@@ -0,0 +1,9 @@
+/var/log/php-fpm/*log {
+ missingok
+ notifempty
+ sharedscripts
+ delaycompress
+ postrotate
+ /bin/kill -SIGUSR1 `cat /run/php-fpm/php-fpm.pid 2>/dev/null` 2>/dev/null || true
+ endscript
+}
diff --git a/SOURCES/php-fpm.service b/SOURCES/php-fpm.service
new file mode 100644
index 0000000..2d96ce7
--- /dev/null
+++ b/SOURCES/php-fpm.service
@@ -0,0 +1,19 @@
+# It's not recommended to modify this file in-place, because it
+# will be overwritten during upgrades. If you want to customize,
+# the best way is to use the "systemctl edit" command.
+
+[Unit]
+Description=The PHP FastCGI Process Manager
+After=syslog.target network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/php-fpm --nodaemonize
+ExecReload=/bin/kill -USR2 $MAINPID
+PrivateTmp=true
+RuntimeDirectory=php-fpm
+RuntimeDirectoryMode=0755
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/SOURCES/php-fpm.wants b/SOURCES/php-fpm.wants
new file mode 100644
index 0000000..5c7c8e4
--- /dev/null
+++ b/SOURCES/php-fpm.wants
@@ -0,0 +1,3 @@
+[Unit]
+Wants=php-fpm.service
+
diff --git a/SOURCES/php.conf b/SOURCES/php.conf
new file mode 100644
index 0000000..8585837
--- /dev/null
+++ b/SOURCES/php.conf
@@ -0,0 +1,64 @@
+#
+# The following lines prevent .user.ini files from being viewed by Web clients.
+#
+<Files ".user.ini">
+ Require all denied
+</Files>
+
+#
+# Allow php to handle Multiviews
+#
+AddType text/html .php
+
+#
+# Add index.php to the list of files that will be served as directory
+# indexes.
+#
+DirectoryIndex index.php
+
+#
+# Redirect to local php-fpm (no mod_php in default configuration)
+#
+<IfModule !mod_php5.c>
+ <IfModule !mod_php7.c>
+ # Enable http authorization headers
+ SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
+
+ <FilesMatch \.(php|phar)$>
+ SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
+ </FilesMatch>
+ </IfModule>
+</IfModule>
+
+#
+# mod_php is deprecated as FPM is now used by default with httpd in event mode
+# mod_php is only used when explicitly enabled or httpd switch to prefork mode
+#
+# mod_php options
+#
+<IfModule mod_php7.c>
+ #
+ # Cause the PHP interpreter to handle files with a .php extension.
+ #
+ <FilesMatch \.(php|phar)$>
+ SetHandler application/x-httpd-php
+ </FilesMatch>
+
+ #
+ # Uncomment the following lines to allow PHP to pretty-print .phps
+ # files as PHP source code:
+ #
+ #<FilesMatch \.phps$>
+ # SetHandler application/x-httpd-php-source
+ #</FilesMatch>
+
+ #
+ # Apache specific PHP configuration options
+ # those can be override in each configured vhost
+ #
+ php_value session.save_handler "files"
+ php_value session.save_path "/var/lib/php/session"
+ php_value soap.wsdl_cache_dir "/var/lib/php/wsdlcache"
+
+ #php_value opcache.file_cache "/var/lib/php/opcache"
+</IfModule>
diff --git a/SOURCES/php.ini b/SOURCES/php.ini
new file mode 100644
index 0000000..3ff0997
--- /dev/null
+++ b/SOURCES/php.ini
@@ -0,0 +1,1663 @@
+[PHP]
+
+;;;;;;;;;;;;;;;;;;;
+; About php.ini ;
+;;;;;;;;;;;;;;;;;;;
+; PHP's initialization file, generally called php.ini, is responsible for
+; configuring many of the aspects of PHP's behavior.
+
+; PHP attempts to find and load this configuration from a number of locations.
+; The following is a summary of its search order:
+; 1. SAPI module specific location.
+; 2. The PHPRC environment variable. (As of PHP 5.2.0)
+; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
+; 4. Current working directory (except CLI)
+; 5. The web server's directory (for SAPI modules), or directory of PHP
+; (otherwise in Windows)
+; 6. The directory from the --with-config-file-path compile time option, or the
+; Windows directory (usually C:\windows)
+; See the PHP docs for more specific information.
+; http://php.net/configuration.file
+
+; The syntax of the file is extremely simple. Whitespace and lines
+; beginning with a semicolon are silently ignored (as you probably guessed).
+; Section headers (e.g. [Foo]) are also silently ignored, even though
+; they might mean something in the future.
+
+; Directives following the section heading [PATH=/www/mysite] only
+; apply to PHP files in the /www/mysite directory. Directives
+; following the section heading [HOST=www.example.com] only apply to
+; PHP files served from www.example.com. Directives set in these
+; special sections cannot be overridden by user-defined INI files or
+; at runtime. Currently, [PATH=] and [HOST=] sections only work under
+; CGI/FastCGI.
+; http://php.net/ini.sections
+
+; Directives are specified using the following syntax:
+; directive = value
+; Directive names are *case sensitive* - foo=bar is different from FOO=bar.
+; Directives are variables used to configure PHP or PHP extensions.
+; There is no name validation. If PHP can't find an expected
+; directive because it is not set or is mistyped, a default value will be used.
+
+; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
+; of the INI constants (On, Off, True, False, Yes, No and None) or an expression
+; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a
+; previously set variable or directive (e.g. ${foo})
+
+; Expressions in the INI file are limited to bitwise operators and parentheses:
+; | bitwise OR
+; ^ bitwise XOR
+; & bitwise AND
+; ~ bitwise NOT
+; ! boolean NOT
+
+; Boolean flags can be turned on using the values 1, On, True or Yes.
+; They can be turned off using the values 0, Off, False or No.
+
+; An empty string can be denoted by simply not writing anything after the equal
+; sign, or by using the None keyword:
+
+; foo = ; sets foo to an empty string
+; foo = None ; sets foo to an empty string
+; foo = "None" ; sets foo to the string 'None'
+
+; If you use constants in your value, and these constants belong to a
+; dynamically loaded extension (either a PHP extension or a Zend extension),
+; you may only use these constants *after* the line that loads the extension.
+
+;;;;;;;;;;;;;;;;;;;
+; About this file ;
+;;;;;;;;;;;;;;;;;;;
+; PHP comes packaged with two INI files. One that is recommended to be used
+; in production environments and one that is recommended to be used in
+; development environments.
+
+; php.ini-production contains settings which hold security, performance and
+; best practices at its core. But please be aware, these settings may break
+; compatibility with older or less security conscience applications. We
+; recommending using the production ini in production and testing environments.
+
+; php.ini-development is very similar to its production variant, except it is
+; much more verbose when it comes to errors. We recommend using the
+; development version only in development environments, as errors shown to
+; application users can inadvertently leak otherwise secure information.
+
+; This is the php.ini-production INI file.
+
+;;;;;;;;;;;;;;;;;;;
+; Quick Reference ;
+;;;;;;;;;;;;;;;;;;;
+
+; The following are all the settings which are different in either the production
+; or development versions of the INIs with respect to PHP's default behavior.
+; Please see the actual settings later in the document for more details as to why
+; we recommend these changes in PHP's behavior.
+
+; display_errors
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+
+; display_startup_errors
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+
+; error_reporting
+; Default Value: E_ALL
+; Development Value: E_ALL
+; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+; log_errors
+; Default Value: Off
+; Development Value: On
+; Production Value: On
+
+; max_input_time
+; Default Value: -1 (Unlimited)
+; Development Value: 60 (60 seconds)
+; Production Value: 60 (60 seconds)
+
+; output_buffering
+; Default Value: Off
+; Development Value: 4096
+; Production Value: 4096
+
+; register_argc_argv
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+
+; request_order
+; Default Value: None
+; Development Value: "GP"
+; Production Value: "GP"
+
+; session.gc_divisor
+; Default Value: 100
+; Development Value: 1000
+; Production Value: 1000
+
+; session.sid_bits_per_character
+; Default Value: 4
+; Development Value: 5
+; Production Value: 5
+
+; short_open_tag
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+
+; variables_order
+; Default Value: "EGPCS"
+; Development Value: "GPCS"
+; Production Value: "GPCS"
+
+; zend.exception_ignore_args
+; Default Value: Off
+; Development Value: Off
+; Production Value: On
+
+; zend.exception_string_param_max_len
+; Default Value: 15
+; Development Value: 15
+; Production Value: 0
+
+;;;;;;;;;;;;;;;;;;;;
+; php.ini Options ;
+;;;;;;;;;;;;;;;;;;;;
+; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini"
+;user_ini.filename = ".user.ini"
+
+; To disable this feature set this option to an empty value
+;user_ini.filename =
+
+; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes)
+;user_ini.cache_ttl = 300
+
+;;;;;;;;;;;;;;;;;;;;
+; Language Options ;
+;;;;;;;;;;;;;;;;;;;;
+
+; Enable the PHP scripting language engine under Apache.
+; http://php.net/engine
+engine = On
+
+; This directive determines whether or not PHP will recognize code between
+; <? and ?> tags as PHP source which should be processed as such. It is
+; generally recommended that <?php and ?> should be used and that this feature
+; should be disabled, as enabling it may result in issues when generating XML
+; documents, however this remains supported for backward compatibility reasons.
+; Note that this directive does not control the <?= shorthand tag, which can be
+; used regardless of this directive.
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+; http://php.net/short-open-tag
+short_open_tag = Off
+
+; The number of significant digits displayed in floating point numbers.
+; http://php.net/precision
+precision = 14
+
+; Output buffering is a mechanism for controlling how much output data
+; (excluding headers and cookies) PHP should keep internally before pushing that
+; data to the client. If your application's output exceeds this setting, PHP
+; will send that data in chunks of roughly the size you specify.
+; Turning on this setting and managing its maximum buffer size can yield some
+; interesting side-effects depending on your application and web server.
+; You may be able to send headers and cookies after you've already sent output
+; through print or echo. You also may see performance benefits if your server is
+; emitting less packets due to buffered output versus PHP streaming the output
+; as it gets it. On production servers, 4096 bytes is a good setting for performance
+; reasons.
+; Note: Output buffering can also be controlled via Output Buffering Control
+; functions.
+; Possible Values:
+; On = Enabled and buffer is unlimited. (Use with caution)
+; Off = Disabled
+; Integer = Enables the buffer and sets its maximum size in bytes.
+; Note: This directive is hardcoded to Off for the CLI SAPI
+; Default Value: Off
+; Development Value: 4096
+; Production Value: 4096
+; http://php.net/output-buffering
+output_buffering = 4096
+
+; You can redirect all of the output of your scripts to a function. For
+; example, if you set output_handler to "mb_output_handler", character
+; encoding will be transparently converted to the specified encoding.
+; Setting any output handler automatically turns on output buffering.
+; Note: People who wrote portable scripts should not depend on this ini
+; directive. Instead, explicitly set the output handler using ob_start().
+; Using this ini directive may cause problems unless you know what script
+; is doing.
+; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler"
+; and you cannot use both "ob_gzhandler" and "zlib.output_compression".
+; Note: output_handler must be empty if this is set 'On' !!!!
+; Instead you must use zlib.output_handler.
+; http://php.net/output-handler
+;output_handler =
+
+; URL rewriter function rewrites URL on the fly by using
+; output buffer. You can set target tags by this configuration.
+; "form" tag is special tag. It will add hidden input tag to pass values.
+; Refer to session.trans_sid_tags for usage.
+; Default Value: "form="
+; Development Value: "form="
+; Production Value: "form="
+;url_rewriter.tags
+
+; URL rewriter will not rewrite absolute URL nor form by default. To enable
+; absolute URL rewrite, allowed hosts must be defined at RUNTIME.
+; Refer to session.trans_sid_hosts for more details.
+; Default Value: ""
+; Development Value: ""
+; Production Value: ""
+;url_rewriter.hosts
+
+; Transparent output compression using the zlib library
+; Valid values for this option are 'off', 'on', or a specific buffer size
+; to be used for compression (default is 4KB)
+; Note: Resulting chunk size may vary due to nature of compression. PHP
+; outputs chunks that are few hundreds bytes each as a result of
+; compression. If you prefer a larger chunk size for better
+; performance, enable output_buffering in addition.
+; Note: You need to use zlib.output_handler instead of the standard
+; output_handler, or otherwise the output will be corrupted.
+; http://php.net/zlib.output-compression
+zlib.output_compression = Off
+
+; http://php.net/zlib.output-compression-level
+;zlib.output_compression_level = -1
+
+; You cannot specify additional output handlers if zlib.output_compression
+; is activated here. This setting does the same as output_handler but in
+; a different order.
+; http://php.net/zlib.output-handler
+;zlib.output_handler =
+
+; Implicit flush tells PHP to tell the output layer to flush itself
+; automatically after every output block. This is equivalent to calling the
+; PHP function flush() after each and every call to print() or echo() and each
+; and every HTML block. Turning this option on has serious performance
+; implications and is generally recommended for debugging purposes only.
+; http://php.net/implicit-flush
+; Note: This directive is hardcoded to On for the CLI SAPI
+implicit_flush = Off
+
+; The unserialize callback function will be called (with the undefined class'
+; name as parameter), if the unserializer finds an undefined class
+; which should be instantiated. A warning appears if the specified function is
+; not defined, or if the function doesn't include/implement the missing class.
+; So only set this entry, if you really want to implement such a
+; callback-function.
+unserialize_callback_func =
+
+; The unserialize_max_depth specifies the default depth limit for unserialized
+; structures. Setting the depth limit too high may result in stack overflows
+; during unserialization. The unserialize_max_depth ini setting can be
+; overridden by the max_depth option on individual unserialize() calls.
+; A value of 0 disables the depth limit.
+;unserialize_max_depth = 4096
+
+; When floats & doubles are serialized, store serialize_precision significant
+; digits after the floating point. The default value ensures that when floats
+; are decoded with unserialize, the data will remain the same.
+; The value is also used for json_encode when encoding double values.
+; If -1 is used, then dtoa mode 0 is used which automatically select the best
+; precision.
+serialize_precision = -1
+
+; open_basedir, if set, limits all file operations to the defined directory
+; and below. This directive makes most sense if used in a per-directory
+; or per-virtualhost web server configuration file.
+; Note: disables the realpath cache
+; http://php.net/open-basedir
+;open_basedir =
+
+; This directive allows you to disable certain functions.
+; It receives a comma-delimited list of function names.
+; http://php.net/disable-functions
+disable_functions =
+
+; This directive allows you to disable certain classes.
+; It receives a comma-delimited list of class names.
+; http://php.net/disable-classes
+disable_classes =
+
+; Colors for Syntax Highlighting mode. Anything that's acceptable in
+; <span style="color: ???????"> would work.
+; http://php.net/syntax-highlighting
+;highlight.string = #DD0000
+;highlight.comment = #FF9900
+;highlight.keyword = #007700
+;highlight.default = #0000BB
+;highlight.html = #000000
+
+; If enabled, the request will be allowed to complete even if the user aborts
+; the request. Consider enabling it if executing long requests, which may end up
+; being interrupted by the user or a browser timing out. PHP's default behavior
+; is to disable this feature.
+; http://php.net/ignore-user-abort
+;ignore_user_abort = On
+
+; Determines the size of the realpath cache to be used by PHP. This value should
+; be increased on systems where PHP opens many files to reflect the quantity of
+; the file operations performed.
+; Note: if open_basedir is set, the cache is disabled
+; http://php.net/realpath-cache-size
+;realpath_cache_size = 4096k
+
+; Duration of time, in seconds for which to cache realpath information for a given
+; file or directory. For systems with rarely changing files, consider increasing this
+; value.
+; http://php.net/realpath-cache-ttl
+;realpath_cache_ttl = 120
+
+; Enables or disables the circular reference collector.
+; http://php.net/zend.enable-gc
+zend.enable_gc = On
+
+; If enabled, scripts may be written in encodings that are incompatible with
+; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such
+; encodings. To use this feature, mbstring extension must be enabled.
+;zend.multibyte = Off
+
+; Allows to set the default encoding for the scripts. This value will be used
+; unless "declare(encoding=...)" directive appears at the top of the script.
+; Only affects if zend.multibyte is set.
+;zend.script_encoding =
+
+; Allows to include or exclude arguments from stack traces generated for exceptions.
+; In production, it is recommended to turn this setting on to prohibit the output
+; of sensitive information in stack traces
+; Default Value: Off
+; Development Value: Off
+; Production Value: On
+zend.exception_ignore_args = On
+
+; Allows setting the maximum string length in an argument of a stringified stack trace
+; to a value between 0 and 1000000.
+; This has no effect when zend.exception_ignore_args is enabled.
+; Default Value: 15
+; Development Value: 15
+; Production Value: 0
+; In production, it is recommended to set this to 0 to reduce the output
+; of sensitive information in stack traces.
+zend.exception_string_param_max_len = 0
+
+;;;;;;;;;;;;;;;;;
+; Miscellaneous ;
+;;;;;;;;;;;;;;;;;
+
+; Decides whether PHP may expose the fact that it is installed on the server
+; (e.g. by adding its signature to the Web server header). It is no security
+; threat in any way, but it makes it possible to determine whether you use PHP
+; on your server or not.
+; http://php.net/expose-php
+expose_php = On
+
+;;;;;;;;;;;;;;;;;;;
+; Resource Limits ;
+;;;;;;;;;;;;;;;;;;;
+
+; Maximum execution time of each script, in seconds
+; http://php.net/max-execution-time
+; Note: This directive is hardcoded to 0 for the CLI SAPI
+max_execution_time = 30
+
+; Maximum amount of time each script may spend parsing request data. It's a good
+; idea to limit this time on productions servers in order to eliminate unexpectedly
+; long running scripts.
+; Note: This directive is hardcoded to -1 for the CLI SAPI
+; Default Value: -1 (Unlimited)
+; Development Value: 60 (60 seconds)
+; Production Value: 60 (60 seconds)
+; http://php.net/max-input-time
+max_input_time = 60
+
+; Maximum input variable nesting level
+; http://php.net/max-input-nesting-level
+;max_input_nesting_level = 64
+
+; How many GET/POST/COOKIE input variables may be accepted
+;max_input_vars = 1000
+
+; Maximum amount of memory a script may consume
+; http://php.net/memory-limit
+memory_limit = 128M
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Error handling and logging ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; This directive informs PHP of which errors, warnings and notices you would like
+; it to take action for. The recommended way of setting values for this
+; directive is through the use of the error level constants and bitwise
+; operators. The error level constants are below here for convenience as well as
+; some common settings and their meanings.
+; By default, PHP is set to take action on all errors, notices and warnings EXCEPT
+; those related to E_NOTICE and E_STRICT, which together cover best practices and
+; recommended coding standards in PHP. For performance reasons, this is the
+; recommend error reporting setting. Your production server shouldn't be wasting
+; resources complaining about best practices and coding standards. That's what
+; development servers and development settings are for.
+; Note: The php.ini-development file has this setting as E_ALL. This
+; means it pretty much reports everything which is exactly what you want during
+; development and early testing.
+;
+; Error Level Constants:
+; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0)
+; E_ERROR - fatal run-time errors
+; E_RECOVERABLE_ERROR - almost fatal run-time errors
+; E_WARNING - run-time warnings (non-fatal errors)
+; E_PARSE - compile-time parse errors
+; E_NOTICE - run-time notices (these are warnings which often result
+; from a bug in your code, but it's possible that it was
+; intentional (e.g., using an uninitialized variable and
+; relying on the fact it is automatically initialized to an
+; empty string)
+; E_STRICT - run-time notices, enable to have PHP suggest changes
+; to your code which will ensure the best interoperability
+; and forward compatibility of your code
+; E_CORE_ERROR - fatal errors that occur during PHP's initial startup
+; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's
+; initial startup
+; E_COMPILE_ERROR - fatal compile-time errors
+; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
+; E_USER_ERROR - user-generated error message
+; E_USER_WARNING - user-generated warning message
+; E_USER_NOTICE - user-generated notice message
+; E_DEPRECATED - warn about code that will not work in future versions
+; of PHP
+; E_USER_DEPRECATED - user-generated deprecation warnings
+;
+; Common Values:
+; E_ALL (Show all errors, warnings and notices including coding standards.)
+; E_ALL & ~E_NOTICE (Show all errors, except for notices)
+; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.)
+; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors)
+; Default Value: E_ALL
+; Development Value: E_ALL
+; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
+; http://php.net/error-reporting
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+; This directive controls whether or not and where PHP will output errors,
+; notices and warnings too. Error output is very useful during development, but
+; it could be very dangerous in production environments. Depending on the code
+; which is triggering the error, sensitive information could potentially leak
+; out of your application such as database usernames and passwords or worse.
+; For production environments, we recommend logging errors rather than
+; sending them to STDOUT.
+; Possible Values:
+; Off = Do not display any errors
+; stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
+; On or stdout = Display errors to STDOUT
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+; http://php.net/display-errors
+display_errors = Off
+
+; The display of errors which occur during PHP's startup sequence are handled
+; separately from display_errors. We strongly recommend you set this to 'off'
+; for production servers to avoid leaking configuration details.
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+; http://php.net/display-startup-errors
+display_startup_errors = Off
+
+; Besides displaying errors, PHP can also log errors to locations such as a
+; server-specific log, STDERR, or a location specified by the error_log
+; directive found below. While errors should not be displayed on productions
+; servers they should still be monitored and logging is a great way to do that.
+; Default Value: Off
+; Development Value: On
+; Production Value: On
+; http://php.net/log-errors
+log_errors = On
+
+; Set maximum length of log_errors. In error_log information about the source is
+; added. The default is 1024 and 0 allows to not apply any maximum length at all.
+; http://php.net/log-errors-max-len
+log_errors_max_len = 1024
+
+; Do not log repeated messages. Repeated errors must occur in same file on same
+; line unless ignore_repeated_source is set true.
+; http://php.net/ignore-repeated-errors
+ignore_repeated_errors = Off
+
+; Ignore source of message when ignoring repeated messages. When this setting
+; is On you will not log errors with repeated messages from different files or
+; source lines.
+; http://php.net/ignore-repeated-source
+ignore_repeated_source = Off
+
+; If this parameter is set to Off, then memory leaks will not be shown (on
+; stdout or in the log). This is only effective in a debug compile, and if
+; error reporting includes E_WARNING in the allowed list
+; http://php.net/report-memleaks
+report_memleaks = On
+
+; This setting is off by default.
+;report_zend_debug = 0
+
+; Turn off normal error reporting and emit XML-RPC error XML
+; http://php.net/xmlrpc-errors
+;xmlrpc_errors = 0
+
+; An XML-RPC faultCode
+;xmlrpc_error_number = 0
+
+; When PHP displays or logs an error, it has the capability of formatting the
+; error message as HTML for easier reading. This directive controls whether
+; the error message is formatted as HTML or not.
+; Note: This directive is hardcoded to Off for the CLI SAPI
+; http://php.net/html-errors
+;html_errors = On
+
+; If html_errors is set to On *and* docref_root is not empty, then PHP
+; produces clickable error messages that direct to a page describing the error
+; or function causing the error in detail.
+; You can download a copy of the PHP manual from http://php.net/docs
+; and change docref_root to the base URL of your local copy including the
+; leading '/'. You must also specify the file extension being used including
+; the dot. PHP's default behavior is to leave these settings empty, in which
+; case no links to documentation are generated.
+; Note: Never use this feature for production boxes.
+; http://php.net/docref-root
+; Examples
+;docref_root = "/phpmanual/"
+
+; http://php.net/docref-ext
+;docref_ext = .html
+
+; String to output before an error message. PHP's default behavior is to leave
+; this setting blank.
+; http://php.net/error-prepend-string
+; Example:
+;error_prepend_string = "<span style='color: #ff0000'>"
+
+; String to output after an error message. PHP's default behavior is to leave
+; this setting blank.
+; http://php.net/error-append-string
+; Example:
+;error_append_string = "</span>"
+
+; Log errors to specified file. PHP's default behavior is to leave this value
+; empty.
+; http://php.net/error-log
+; Example:
+;error_log = php_errors.log
+; Log errors to syslog (Event Log on Windows).
+;error_log = syslog
+
+; The syslog ident is a string which is prepended to every message logged
+; to syslog. Only used when error_log is set to syslog.
+;syslog.ident = php
+
+; The syslog facility is used to specify what type of program is logging
+; the message. Only used when error_log is set to syslog.
+;syslog.facility = user
+
+; Set this to disable filtering control characters (the default).
+; Some loggers only accept NVT-ASCII, others accept anything that's not
+; control characters. If your logger accepts everything, then no filtering
+; is needed at all.
+; Allowed values are:
+; ascii (all printable ASCII characters and NL)
+; no-ctrl (all characters except control characters)
+; all (all characters)
+; raw (like "all", but messages are not split at newlines)
+; http://php.net/syslog.filter
+;syslog.filter = ascii
+
+;windows.show_crt_warning
+; Default value: 0
+; Development value: 0
+; Production value: 0
+
+;;;;;;;;;;;;;;;;;
+; Data Handling ;
+;;;;;;;;;;;;;;;;;
+
+; The separator used in PHP generated URLs to separate arguments.
+; PHP's default setting is "&".
+; http://php.net/arg-separator.output
+; Example:
+;arg_separator.output = "&"
+
+; List of separator(s) used by PHP to parse input URLs into variables.
+; PHP's default setting is "&".
+; NOTE: Every character in this directive is considered as separator!
+; http://php.net/arg-separator.input
+; Example:
+;arg_separator.input = ";&"
+
+; This directive determines which super global arrays are registered when PHP
+; starts up. G,P,C,E & S are abbreviations for the following respective super
+; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty
+; paid for the registration of these arrays and because ENV is not as commonly
+; used as the others, ENV is not recommended on productions servers. You
+; can still get access to the environment variables through getenv() should you
+; need to.
+; Default Value: "EGPCS"
+; Development Value: "GPCS"
+; Production Value: "GPCS";
+; http://php.net/variables-order
+variables_order = "GPCS"
+
+; This directive determines which super global data (G,P & C) should be
+; registered into the super global array REQUEST. If so, it also determines
+; the order in which that data is registered. The values for this directive
+; are specified in the same manner as the variables_order directive,
+; EXCEPT one. Leaving this value empty will cause PHP to use the value set
+; in the variables_order directive. It does not mean it will leave the super
+; globals array REQUEST empty.
+; Default Value: None
+; Development Value: "GP"
+; Production Value: "GP"
+; http://php.net/request-order
+request_order = "GP"
+
+; This directive determines whether PHP registers $argv & $argc each time it
+; runs. $argv contains an array of all the arguments passed to PHP when a script
+; is invoked. $argc contains an integer representing the number of arguments
+; that were passed when the script was invoked. These arrays are extremely
+; useful when running scripts from the command line. When this directive is
+; enabled, registering these variables consumes CPU cycles and memory each time
+; a script is executed. For performance reasons, this feature should be disabled
+; on production servers.
+; Note: This directive is hardcoded to On for the CLI SAPI
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+; http://php.net/register-argc-argv
+register_argc_argv = Off
+
+; When enabled, the ENV, REQUEST and SERVER variables are created when they're
+; first used (Just In Time) instead of when the script starts. If these
+; variables are not used within a script, having this directive on will result
+; in a performance gain. The PHP directive register_argc_argv must be disabled
+; for this directive to have any effect.
+; http://php.net/auto-globals-jit
+auto_globals_jit = On
+
+; Whether PHP will read the POST data.
+; This option is enabled by default.
+; Most likely, you won't want to disable this option globally. It causes $_POST
+; and $_FILES to always be empty; the only way you will be able to read the
+; POST data will be through the php://input stream wrapper. This can be useful
+; to proxy requests or to process the POST data in a memory efficient fashion.
+; http://php.net/enable-post-data-reading
+;enable_post_data_reading = Off
+
+; Maximum size of POST data that PHP will accept.
+; Its value may be 0 to disable the limit. It is ignored if POST data reading
+; is disabled through enable_post_data_reading.
+; http://php.net/post-max-size
+post_max_size = 8M
+
+; Automatically add files before PHP document.
+; http://php.net/auto-prepend-file
+auto_prepend_file =
+
+; Automatically add files after PHP document.
+; http://php.net/auto-append-file
+auto_append_file =
+
+; By default, PHP will output a media type using the Content-Type header. To
+; disable this, simply set it to be empty.
+;
+; PHP's built-in default media type is set to text/html.
+; http://php.net/default-mimetype
+default_mimetype = "text/html"
+
+; PHP's default character set is set to UTF-8.
+; http://php.net/default-charset
+default_charset = "UTF-8"
+
+; PHP internal character encoding is set to empty.
+; If empty, default_charset is used.
+; http://php.net/internal-encoding
+;internal_encoding =
+
+; PHP input character encoding is set to empty.
+; If empty, default_charset is used.
+; http://php.net/input-encoding
+;input_encoding =
+
+; PHP output character encoding is set to empty.
+; If empty, default_charset is used.
+; See also output_buffer.
+; http://php.net/output-encoding
+;output_encoding =
+
+;;;;;;;;;;;;;;;;;;;;;;;;;
+; Paths and Directories ;
+;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; UNIX: "/path1:/path2"
+;include_path = ".:/php/includes"
+;
+; Windows: "\path1;\path2"
+;include_path = ".;c:\php\includes"
+;
+; PHP's default setting for include_path is ".;/path/to/php/pear"
+; http://php.net/include-path
+
+; The root of the PHP pages, used only if nonempty.
+; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
+; if you are running php as a CGI under any web server (other than IIS)
+; see documentation for security issues. The alternate is to use the
+; cgi.force_redirect configuration below
+; http://php.net/doc-root
+doc_root =
+
+; The directory under which PHP opens the script using /~username used only
+; if nonempty.
+; http://php.net/user-dir
+user_dir =
+
+; Directory in which the loadable extensions (modules) reside.
+; http://php.net/extension-dir
+;extension_dir = "./"
+; On windows:
+;extension_dir = "ext"
+
+; Directory where the temporary files should be placed.
+; Defaults to the system default (see sys_get_temp_dir)
+;sys_temp_dir = "/tmp"
+
+; Whether or not to enable the dl() function. The dl() function does NOT work
+; properly in multithreaded servers, such as IIS or Zeus, and is automatically
+; disabled on them.
+; http://php.net/enable-dl
+enable_dl = Off
+
+; cgi.force_redirect is necessary to provide security running PHP as a CGI under
+; most web servers. Left undefined, PHP turns this on by default. You can
+; turn it off here AT YOUR OWN RISK
+; **You CAN safely turn this off for IIS, in fact, you MUST.**
+; http://php.net/cgi.force-redirect
+;cgi.force_redirect = 1
+
+; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
+; every request. PHP's default behavior is to disable this feature.
+;cgi.nph = 1
+
+; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
+; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
+; will look for to know it is OK to continue execution. Setting this variable MAY
+; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
+; http://php.net/cgi.redirect-status-env
+;cgi.redirect_status_env =
+
+; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
+; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
+; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
+; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting
+; of zero causes PHP to behave as before. Default is 1. You should fix your scripts
+; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
+; http://php.net/cgi.fix-pathinfo
+;cgi.fix_pathinfo=1
+
+; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside
+; of the web tree and people will not be able to circumvent .htaccess security.
+;cgi.discard_path=1
+
+; FastCGI under IIS supports the ability to impersonate
+; security tokens of the calling client. This allows IIS to define the
+; security context that the request runs under. mod_fastcgi under Apache
+; does not currently support this feature (03/17/2002)
+; Set to 1 if running under IIS. Default is zero.
+; http://php.net/fastcgi.impersonate
+;fastcgi.impersonate = 1
+
+; Disable logging through FastCGI connection. PHP's default behavior is to enable
+; this feature.
+;fastcgi.logging = 0
+
+; cgi.rfc2616_headers configuration option tells PHP what type of headers to
+; use when sending HTTP response code. If set to 0, PHP sends Status: header that
+; is supported by Apache. When this option is set to 1, PHP will send
+; RFC2616 compliant header.
+; Default is zero.
+; http://php.net/cgi.rfc2616-headers
+;cgi.rfc2616_headers = 0
+
+; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #!
+; (shebang) at the top of the running script. This line might be needed if the
+; script support running both as stand-alone script and via PHP CGI<. PHP in CGI
+; mode skips this line and ignores its content if this directive is turned on.
+; http://php.net/cgi.check-shebang-line
+;cgi.check_shebang_line=1
+
+;;;;;;;;;;;;;;;;
+; File Uploads ;
+;;;;;;;;;;;;;;;;
+
+; Whether to allow HTTP file uploads.
+; http://php.net/file-uploads
+file_uploads = On
+
+; Temporary directory for HTTP uploaded files (will use system default if not
+; specified).
+; http://php.net/upload-tmp-dir
+;upload_tmp_dir =
+
+; Maximum allowed size for uploaded files.
+; http://php.net/upload-max-filesize
+upload_max_filesize = 2M
+
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 20
+
+;;;;;;;;;;;;;;;;;;
+; Fopen wrappers ;
+;;;;;;;;;;;;;;;;;;
+
+; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
+; http://php.net/allow-url-fopen
+allow_url_fopen = On
+
+; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
+; http://php.net/allow-url-include
+allow_url_include = Off
+
+; Define the anonymous ftp password (your email address). PHP's default setting
+; for this is empty.
+; http://php.net/from
+;from="john@doe.com"
+
+; Define the User-Agent string. PHP's default setting for this is empty.
+; http://php.net/user-agent
+;user_agent="PHP"
+
+; Default timeout for socket based streams (seconds)
+; http://php.net/default-socket-timeout
+default_socket_timeout = 60
+
+; If your scripts have to deal with files from Macintosh systems,
+; or you are running on a Mac and need to deal with files from
+; unix or win32 systems, setting this flag will cause PHP to
+; automatically detect the EOL character in those files so that
+; fgets() and file() will work regardless of the source of the file.
+; http://php.net/auto-detect-line-endings
+;auto_detect_line_endings = Off
+
+;;;;;;;;;;;;;;;;;;;;;;
+; Dynamic Extensions ;
+;;;;;;;;;;;;;;;;;;;;;;
+
+; If you wish to have an extension loaded automatically, use the following
+; syntax:
+;
+; extension=modulename
+;
+; For example:
+;
+; extension=mysqli
+;
+; When the extension library to load is not located in the default extension
+; directory, You may specify an absolute path to the library file:
+;
+; extension=/path/to/extension/mysqli.so
+;
+; Note : The syntax used in previous PHP versions ('extension=<ext>.so' and
+; 'extension='php_<ext>.dll') is supported for legacy reasons and may be
+; deprecated in a future PHP major version. So, when it is possible, please
+; move to the new ('extension=<ext>) syntax.
+
+;;;;
+; Note: packaged extension modules are now loaded via the .ini files
+; found in the directory /etc/php.d; these are loaded by default.
+;;;;
+
+;;;;;;;;;;;;;;;;;;;
+; Module Settings ;
+;;;;;;;;;;;;;;;;;;;
+
+[CLI Server]
+; Whether the CLI web server uses ANSI color coding in its terminal output.
+cli_server.color = On
+
+[Date]
+; Defines the default timezone used by the date functions
+; http://php.net/date.timezone
+;date.timezone =
+
+; http://php.net/date.default-latitude
+;date.default_latitude = 31.7667
+
+; http://php.net/date.default-longitude
+;date.default_longitude = 35.2333
+
+; http://php.net/date.sunrise-zenith
+;date.sunrise_zenith = 90.833333
+
+; http://php.net/date.sunset-zenith
+;date.sunset_zenith = 90.833333
+
+[filter]
+; http://php.net/filter.default
+;filter.default = unsafe_raw
+
+; http://php.net/filter.default-flags
+;filter.default_flags =
+
+[iconv]
+; Use of this INI entry is deprecated, use global input_encoding instead.
+; If empty, default_charset or input_encoding or iconv.input_encoding is used.
+; The precedence is: default_charset < input_encoding < iconv.input_encoding
+;iconv.input_encoding =
+
+; Use of this INI entry is deprecated, use global internal_encoding instead.
+; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
+; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
+;iconv.internal_encoding =
+
+; Use of this INI entry is deprecated, use global output_encoding instead.
+; If empty, default_charset or output_encoding or iconv.output_encoding is used.
+; The precedence is: default_charset < output_encoding < iconv.output_encoding
+; To use an output encoding conversion, iconv's output handler must be set
+; otherwise output encoding conversion cannot be performed.
+;iconv.output_encoding =
+
+[imap]
+; rsh/ssh logins are disabled by default. Use this INI entry if you want to
+; enable them. Note that the IMAP library does not filter mailbox names before
+; passing them to rsh/ssh command, thus passing untrusted data to this function
+; with rsh/ssh enabled is insecure.
+;imap.enable_insecure_rsh=0
+
+[intl]
+;intl.default_locale =
+; This directive allows you to produce PHP errors when some error
+; happens within intl functions. The value is the level of the error produced.
+; Default is 0, which does not produce any errors.
+;intl.error_level = E_WARNING
+;intl.use_exceptions = 0
+
+[sqlite3]
+; Directory pointing to SQLite3 extensions
+; http://php.net/sqlite3.extension-dir
+;sqlite3.extension_dir =
+
+; SQLite defensive mode flag (only available from SQLite 3.26+)
+; When the defensive flag is enabled, language features that allow ordinary
+; SQL to deliberately corrupt the database file are disabled. This forbids
+; writing directly to the schema, shadow tables (eg. FTS data tables), or
+; the sqlite_dbpage virtual table.
+; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
+; (for older SQLite versions, this flag has no use)
+;sqlite3.defensive = 1
+
+[Pcre]
+; PCRE library backtracking limit.
+; http://php.net/pcre.backtrack-limit
+;pcre.backtrack_limit=100000
+
+; PCRE library recursion limit.
+; Please note that if you set this value to a high number you may consume all
+; the available process stack and eventually crash PHP (due to reaching the
+; stack size limit imposed by the Operating System).
+; http://php.net/pcre.recursion-limit
+;pcre.recursion_limit=100000
+
+; Enables or disables JIT compilation of patterns. This requires the PCRE
+; library to be compiled with JIT support.
+pcre.jit=0
+
+[Pdo]
+; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
+; http://php.net/pdo-odbc.connection-pooling
+;pdo_odbc.connection_pooling=strict
+
+[Pdo_mysql]
+; Default socket name for local MySQL connects. If empty, uses the built-in
+; MySQL defaults.
+pdo_mysql.default_socket=
+
+[Phar]
+; http://php.net/phar.readonly
+;phar.readonly = On
+
+; http://php.net/phar.require-hash
+;phar.require_hash = On
+
+;phar.cache_list =
+
+[mail function]
+; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
+; http://php.net/sendmail-path
+sendmail_path = /usr/sbin/sendmail -t -i
+
+; Force the addition of the specified parameters to be passed as extra parameters
+; to the sendmail binary. These parameters will always replace the value of
+; the 5th parameter to mail().
+;mail.force_extra_parameters =
+
+; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
+mail.add_x_header = Off
+
+; The path to a log file that will log all mail() calls. Log entries include
+; the full path of the script, line number, To address and headers.
+;mail.log =
+; Log mail to syslog (Event Log on Windows).
+;mail.log = syslog
+
+[ODBC]
+; http://php.net/odbc.default-db
+;odbc.default_db = Not yet implemented
+
+; http://php.net/odbc.default-user
+;odbc.default_user = Not yet implemented
+
+; http://php.net/odbc.default-pw
+;odbc.default_pw = Not yet implemented
+
+; Controls the ODBC cursor model.
+; Default: SQL_CURSOR_STATIC (default).
+;odbc.default_cursortype
+
+; Allow or prevent persistent links.
+; http://php.net/odbc.allow-persistent
+odbc.allow_persistent = On
+
+; Check that a connection is still valid before reuse.
+; http://php.net/odbc.check-persistent
+odbc.check_persistent = On
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/odbc.max-persistent
+odbc.max_persistent = -1
+
+; Maximum number of links (persistent + non-persistent). -1 means no limit.
+; http://php.net/odbc.max-links
+odbc.max_links = -1
+
+; Handling of LONG fields. Returns number of bytes to variables. 0 means
+; passthru.
+; http://php.net/odbc.defaultlrl
+odbc.defaultlrl = 4096
+
+; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char.
+; See the documentation on odbc_binmode and odbc_longreadlen for an explanation
+; of odbc.defaultlrl and odbc.defaultbinmode
+; http://php.net/odbc.defaultbinmode
+odbc.defaultbinmode = 1
+
+[MySQLi]
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/mysqli.max-persistent
+mysqli.max_persistent = -1
+
+; Allow accessing, from PHP's perspective, local files with LOAD DATA statements
+; http://php.net/mysqli.allow_local_infile
+;mysqli.allow_local_infile = On
+
+; Allow or prevent persistent links.
+; http://php.net/mysqli.allow-persistent
+mysqli.allow_persistent = On
+
+; Maximum number of links. -1 means no limit.
+; http://php.net/mysqli.max-links
+mysqli.max_links = -1
+
+; Default port number for mysqli_connect(). If unset, mysqli_connect() will use
+; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
+; compile-time value defined MYSQL_PORT (in that order). Win32 will only look
+; at MYSQL_PORT.
+; http://php.net/mysqli.default-port
+mysqli.default_port = 3306
+
+; Default socket name for local MySQL connects. If empty, uses the built-in
+; MySQL defaults.
+; http://php.net/mysqli.default-socket
+mysqli.default_socket =
+
+; Default host for mysqli_connect() (doesn't apply in safe mode).
+; http://php.net/mysqli.default-host
+mysqli.default_host =
+
+; Default user for mysqli_connect() (doesn't apply in safe mode).
+; http://php.net/mysqli.default-user
+mysqli.default_user =
+
+; Default password for mysqli_connect() (doesn't apply in safe mode).
+; Note that this is generally a *bad* idea to store passwords in this file.
+; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw")
+; and reveal this password! And of course, any users with read access to this
+; file will be able to reveal the password as well.
+; http://php.net/mysqli.default-pw
+mysqli.default_pw =
+
+; Allow or prevent reconnect
+mysqli.reconnect = Off
+
+[mysqlnd]
+; Enable / Disable collection of general statistics by mysqlnd which can be
+; used to tune and monitor MySQL operations.
+mysqlnd.collect_statistics = On
+
+; Enable / Disable collection of memory usage statistics by mysqlnd which can be
+; used to tune and monitor MySQL operations.
+mysqlnd.collect_memory_statistics = Off
+
+; Records communication from all extensions using mysqlnd to the specified log
+; file.
+; http://php.net/mysqlnd.debug
+;mysqlnd.debug =
+
+; Defines which queries will be logged.
+;mysqlnd.log_mask = 0
+
+; Default size of the mysqlnd memory pool, which is used by result sets.
+;mysqlnd.mempool_default_size = 16000
+
+; Size of a pre-allocated buffer used when sending commands to MySQL in bytes.
+;mysqlnd.net_cmd_buffer_size = 2048
+
+; Size of a pre-allocated buffer used for reading data sent by the server in
+; bytes.
+;mysqlnd.net_read_buffer_size = 32768
+
+; Timeout for network requests in seconds.
+;mysqlnd.net_read_timeout = 31536000
+
+; SHA-256 Authentication Plugin related. File with the MySQL server public RSA
+; key.
+;mysqlnd.sha256_server_public_key =
+
+[PostgreSQL]
+; Allow or prevent persistent links.
+; http://php.net/pgsql.allow-persistent
+pgsql.allow_persistent = On
+
+; Detect broken persistent links always with pg_pconnect().
+; Auto reset feature requires a little overheads.
+; http://php.net/pgsql.auto-reset-persistent
+pgsql.auto_reset_persistent = Off
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/pgsql.max-persistent
+pgsql.max_persistent = -1
+
+; Maximum number of links (persistent+non persistent). -1 means no limit.
+; http://php.net/pgsql.max-links
+pgsql.max_links = -1
+
+; Ignore PostgreSQL backends Notice message or not.
+; Notice message logging require a little overheads.
+; http://php.net/pgsql.ignore-notice
+pgsql.ignore_notice = 0
+
+; Log PostgreSQL backends Notice message or not.
+; Unless pgsql.ignore_notice=0, module cannot log notice message.
+; http://php.net/pgsql.log-notice
+pgsql.log_notice = 0
+
+[bcmath]
+; Number of decimal digits for all bcmath functions.
+; http://php.net/bcmath.scale
+bcmath.scale = 0
+
+[browscap]
+; http://php.net/browscap
+;browscap = extra/browscap.ini
+
+[Session]
+; Handler used to store/retrieve data.
+; http://php.net/session.save-handler
+session.save_handler = files
+
+; Argument passed to save_handler. In the case of files, this is the path
+; where data files are stored. Note: Windows users have to change this
+; variable in order to use PHP's session functions.
+;
+; The path can be defined as:
+;
+; session.save_path = "N;/path"
+;
+; where N is an integer. Instead of storing all the session files in
+; /path, what this will do is use subdirectories N-levels deep, and
+; store the session data in those directories. This is useful if
+; your OS has problems with many files in one directory, and is
+; a more efficient layout for servers that handle many sessions.
+;
+; NOTE 1: PHP will not create this directory structure automatically.
+; You can use the script in the ext/session dir for that purpose.
+; NOTE 2: See the section on garbage collection below if you choose to
+; use subdirectories for session storage
+;
+; The file storage module creates files using mode 600 by default.
+; You can change that by using
+;
+; session.save_path = "N;MODE;/path"
+;
+; where MODE is the octal representation of the mode. Note that this
+; does not overwrite the process's umask.
+; http://php.net/session.save-path
+
+; RPM note : session directory must be owned by process owner
+; for mod_php, see /etc/httpd/conf.d/php.conf
+; for php-fpm, see /etc/php-fpm.d/*conf
+;session.save_path = "/tmp"
+
+; Whether to use strict session mode.
+; Strict session mode does not accept an uninitialized session ID, and
+; regenerates the session ID if the browser sends an uninitialized session ID.
+; Strict mode protects applications from session fixation via a session adoption
+; vulnerability. It is disabled by default for maximum compatibility, but
+; enabling it is encouraged.
+; https://wiki.php.net/rfc/strict_sessions
+session.use_strict_mode = 0
+
+; Whether to use cookies.
+; http://php.net/session.use-cookies
+session.use_cookies = 1
+
+; http://php.net/session.cookie-secure
+;session.cookie_secure =
+
+; This option forces PHP to fetch and use a cookie for storing and maintaining
+; the session id. We encourage this operation as it's very helpful in combating
+; session hijacking when not specifying and managing your own session id. It is
+; not the be-all and end-all of session hijacking defense, but it's a good start.
+; http://php.net/session.use-only-cookies
+session.use_only_cookies = 1
+
+; Name of the session (used as cookie name).
+; http://php.net/session.name
+session.name = PHPSESSID
+
+; Initialize session on request startup.
+; http://php.net/session.auto-start
+session.auto_start = 0
+
+; Lifetime in seconds of cookie or, if 0, until browser is restarted.
+; http://php.net/session.cookie-lifetime
+session.cookie_lifetime = 0
+
+; The path for which the cookie is valid.
+; http://php.net/session.cookie-path
+session.cookie_path = /
+
+; The domain for which the cookie is valid.
+; http://php.net/session.cookie-domain
+session.cookie_domain =
+
+; Whether or not to add the httpOnly flag to the cookie, which makes it
+; inaccessible to browser scripting languages such as JavaScript.
+; http://php.net/session.cookie-httponly
+session.cookie_httponly =
+
+; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF)
+; Current valid values are "Strict", "Lax" or "None". When using "None",
+; make sure to include the quotes, as `none` is interpreted like `false` in ini files.
+; https://tools.ietf.org/html/draft-west-first-party-cookies-07
+session.cookie_samesite =
+
+; Handler used to serialize data. php is the standard serializer of PHP.
+; http://php.net/session.serialize-handler
+session.serialize_handler = php
+
+; Defines the probability that the 'garbage collection' process is started on every
+; session initialization. The probability is calculated by using gc_probability/gc_divisor,
+; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
+; Default Value: 1
+; Development Value: 1
+; Production Value: 1
+; http://php.net/session.gc-probability
+session.gc_probability = 1
+
+; Defines the probability that the 'garbage collection' process is started on every
+; session initialization. The probability is calculated by using gc_probability/gc_divisor,
+; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
+; For high volume production servers, using a value of 1000 is a more efficient approach.
+; Default Value: 100
+; Development Value: 1000
+; Production Value: 1000
+; http://php.net/session.gc-divisor
+session.gc_divisor = 1000
+
+; After this number of seconds, stored data will be seen as 'garbage' and
+; cleaned up by the garbage collection process.
+; http://php.net/session.gc-maxlifetime
+session.gc_maxlifetime = 1440
+
+; NOTE: If you are using the subdirectory option for storing session files
+; (see session.save_path above), then garbage collection does *not*
+; happen automatically. You will need to do your own garbage
+; collection through a shell script, cron entry, or some other method.
+; For example, the following script is the equivalent of setting
+; session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
+; find /path/to/sessions -cmin +24 -type f | xargs rm
+
+; Check HTTP Referer to invalidate externally stored URLs containing ids.
+; HTTP_REFERER has to contain this substring for the session to be
+; considered as valid.
+; http://php.net/session.referer-check
+session.referer_check =
+
+; Set to {nocache,private,public,} to determine HTTP caching aspects
+; or leave this empty to avoid sending anti-caching headers.
+; http://php.net/session.cache-limiter
+session.cache_limiter = nocache
+
+; Document expires after n minutes.
+; http://php.net/session.cache-expire
+session.cache_expire = 180
+
+; trans sid support is disabled by default.
+; Use of trans sid may risk your users' security.
+; Use this option with caution.
+; - User may send URL contains active session ID
+; to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+; in publicly accessible computer.
+; - User may access your site with the same session ID
+; always using URL stored in browser's history or bookmarks.
+; http://php.net/session.use-trans-sid
+session.use_trans_sid = 0
+
+; Set session ID character length. This value could be between 22 to 256.
+; Shorter length than default is supported only for compatibility reason.
+; Users should use 32 or more chars.
+; http://php.net/session.sid-length
+; Default Value: 32
+; Development Value: 26
+; Production Value: 26
+session.sid_length = 26
+
+; The URL rewriter will look for URLs in a defined set of HTML tags.
+; <form> is special; if you include them here, the rewriter will
+; add a hidden <input> field with the info which is otherwise appended
+; to URLs. <form> tag's action attribute URL will not be modified
+; unless it is specified.
+; Note that all valid entries require a "=", even if no value follows.
+; Default Value: "a=href,area=href,frame=src,form="
+; Development Value: "a=href,area=href,frame=src,form="
+; Production Value: "a=href,area=href,frame=src,form="
+; http://php.net/url-rewriter.tags
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+
+; URL rewriter does not rewrite absolute URLs by default.
+; To enable rewrites for absolute paths, target hosts must be specified
+; at RUNTIME. i.e. use ini_set()
+; <form> tags is special. PHP will check action attribute's URL regardless
+; of session.trans_sid_tags setting.
+; If no host is defined, HTTP_HOST will be used for allowed host.
+; Example value: php.net,www.php.net,wiki.php.net
+; Use "," for multiple hosts. No spaces are allowed.
+; Default Value: ""
+; Development Value: ""
+; Production Value: ""
+;session.trans_sid_hosts=""
+
+; Define how many bits are stored in each character when converting
+; the binary hash data to something readable.
+; Possible values:
+; 4 (4 bits: 0-9, a-f)
+; 5 (5 bits: 0-9, a-v)
+; 6 (6 bits: 0-9, a-z, A-Z, "-", ",")
+; Default Value: 4
+; Development Value: 5
+; Production Value: 5
+; http://php.net/session.hash-bits-per-character
+session.sid_bits_per_character = 5
+
+; Enable upload progress tracking in $_SESSION
+; Default Value: On
+; Development Value: On
+; Production Value: On
+; http://php.net/session.upload-progress.enabled
+;session.upload_progress.enabled = On
+
+; Cleanup the progress information as soon as all POST data has been read
+; (i.e. upload completed).
+; Default Value: On
+; Development Value: On
+; Production Value: On
+; http://php.net/session.upload-progress.cleanup
+;session.upload_progress.cleanup = On
+
+; A prefix used for the upload progress key in $_SESSION
+; Default Value: "upload_progress_"
+; Development Value: "upload_progress_"
+; Production Value: "upload_progress_"
+; http://php.net/session.upload-progress.prefix
+;session.upload_progress.prefix = "upload_progress_"
+
+; The index name (concatenated with the prefix) in $_SESSION
+; containing the upload progress information
+; Default Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; Development Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; Production Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; http://php.net/session.upload-progress.name
+;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS"
+
+; How frequently the upload progress should be updated.
+; Given either in percentages (per-file), or in bytes
+; Default Value: "1%"
+; Development Value: "1%"
+; Production Value: "1%"
+; http://php.net/session.upload-progress.freq
+;session.upload_progress.freq = "1%"
+
+; The minimum delay between updates, in seconds
+; Default Value: 1
+; Development Value: 1
+; Production Value: 1
+; http://php.net/session.upload-progress.min-freq
+;session.upload_progress.min_freq = "1"
+
+; Only write session data when session data is changed. Enabled by default.
+; http://php.net/session.lazy-write
+;session.lazy_write = On
+
+[Assertion]
+; Switch whether to compile assertions at all (to have no overhead at run-time)
+; -1: Do not compile at all
+; 0: Jump over assertion at run-time
+; 1: Execute assertions
+; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1)
+; Default Value: 1
+; Development Value: 1
+; Production Value: -1
+; http://php.net/zend.assertions
+zend.assertions = -1
+
+; Assert(expr); active by default.
+; http://php.net/assert.active
+;assert.active = On
+
+; Throw an AssertionError on failed assertions
+; http://php.net/assert.exception
+;assert.exception = On
+
+; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active)
+; http://php.net/assert.warning
+;assert.warning = On
+
+; Don't bail out by default.
+; http://php.net/assert.bail
+;assert.bail = Off
+
+; User-function to be called if an assertion fails.
+; http://php.net/assert.callback
+;assert.callback = 0
+
+[mbstring]
+; language for internal character representation.
+; This affects mb_send_mail() and mbstring.detect_order.
+; http://php.net/mbstring.language
+;mbstring.language = Japanese
+
+; Use of this INI entry is deprecated, use global internal_encoding instead.
+; internal/script encoding.
+; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*)
+; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
+; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
+;mbstring.internal_encoding =
+
+; Use of this INI entry is deprecated, use global input_encoding instead.
+; http input encoding.
+; mbstring.encoding_translation = On is needed to use this setting.
+; If empty, default_charset or input_encoding or mbstring.input is used.
+; The precedence is: default_charset < input_encoding < mbstring.http_input
+; http://php.net/mbstring.http-input
+;mbstring.http_input =
+
+; Use of this INI entry is deprecated, use global output_encoding instead.
+; http output encoding.
+; mb_output_handler must be registered as output buffer to function.
+; If empty, default_charset or output_encoding or mbstring.http_output is used.
+; The precedence is: default_charset < output_encoding < mbstring.http_output
+; To use an output encoding conversion, mbstring's output handler must be set
+; otherwise output encoding conversion cannot be performed.
+; http://php.net/mbstring.http-output
+;mbstring.http_output =
+
+; enable automatic encoding translation according to
+; mbstring.internal_encoding setting. Input chars are
+; converted to internal encoding by setting this to On.
+; Note: Do _not_ use automatic encoding translation for
+; portable libs/applications.
+; http://php.net/mbstring.encoding-translation
+;mbstring.encoding_translation = Off
+
+; automatic encoding detection order.
+; "auto" detect order is changed according to mbstring.language
+; http://php.net/mbstring.detect-order
+;mbstring.detect_order = auto
+
+; substitute_character used when character cannot be converted
+; one from another
+; http://php.net/mbstring.substitute-character
+;mbstring.substitute_character = none
+
+; Enable strict encoding detection.
+;mbstring.strict_detection = Off
+
+; This directive specifies the regex pattern of content types for which mb_output_handler()
+; is activated.
+; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml)
+;mbstring.http_output_conv_mimetype=
+
+; This directive specifies maximum stack depth for mbstring regular expressions. It is similar
+; to the pcre.recursion_limit for PCRE.
+;mbstring.regex_stack_limit=100000
+
+; This directive specifies maximum retry count for mbstring regular expressions. It is similar
+; to the pcre.backtrack_limit for PCRE.
+;mbstring.regex_retry_limit=1000000
+
+[gd]
+; Tell the jpeg decode to ignore warnings and try to create
+; a gd image. The warning will then be displayed as notices
+; disabled by default
+; http://php.net/gd.jpeg-ignore-warning
+;gd.jpeg_ignore_warning = 1
+
+[exif]
+; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS.
+; With mbstring support this will automatically be converted into the encoding
+; given by corresponding encode setting. When empty mbstring.internal_encoding
+; is used. For the decode settings you can distinguish between motorola and
+; intel byte order. A decode setting cannot be empty.
+; http://php.net/exif.encode-unicode
+;exif.encode_unicode = ISO-8859-15
+
+; http://php.net/exif.decode-unicode-motorola
+;exif.decode_unicode_motorola = UCS-2BE
+
+; http://php.net/exif.decode-unicode-intel
+;exif.decode_unicode_intel = UCS-2LE
+
+; http://php.net/exif.encode-jis
+;exif.encode_jis =
+
+; http://php.net/exif.decode-jis-motorola
+;exif.decode_jis_motorola = JIS
+
+; http://php.net/exif.decode-jis-intel
+;exif.decode_jis_intel = JIS
+
+[Tidy]
+; The path to a default tidy configuration file to use when using tidy
+; http://php.net/tidy.default-config
+;tidy.default_config = /usr/local/lib/php/default.tcfg
+
+; Should tidy clean and repair output automatically?
+; WARNING: Do not use this option if you are generating non-html content
+; such as dynamic images
+; http://php.net/tidy.clean-output
+tidy.clean_output = Off
+
+[soap]
+; Enables or disables WSDL caching feature.
+; http://php.net/soap.wsdl-cache-enabled
+soap.wsdl_cache_enabled=1
+
+; Sets the directory name where SOAP extension will put cache files.
+; http://php.net/soap.wsdl-cache-dir
+
+; RPM note : cache directory must be owned by process owner
+; for mod_php, see /etc/httpd/conf.d/php.conf
+; for php-fpm, see /etc/php-fpm.d/*conf
+soap.wsdl_cache_dir="/tmp"
+
+; (time to live) Sets the number of second while cached file will be used
+; instead of original one.
+; http://php.net/soap.wsdl-cache-ttl
+soap.wsdl_cache_ttl=86400
+
+; Sets the size of the cache limit. (Max. number of WSDL files to cache)
+soap.wsdl_cache_limit = 5
+
+[sysvshm]
+; A default size of the shared memory segment
+;sysvshm.init_mem = 10000
+
+[ldap]
+; Sets the maximum number of open links or -1 for unlimited.
+ldap.max_links = -1
+
+[dba]
+;dba.default_handler=
+
+[opcache]
+; see /etc/php.d/10-opcache.ini
+
+[curl]
+; A default value for the CURLOPT_CAINFO option. This is required to be an
+; absolute path.
+;curl.cainfo =
+
+[openssl]
+; The location of a Certificate Authority (CA) file on the local filesystem
+; to use when verifying the identity of SSL/TLS peers. Most users should
+; not specify a value for this directive as PHP will attempt to use the
+; OS-managed cert stores in its absence. If specified, this value may still
+; be overridden on a per-stream basis via the "cafile" SSL stream context
+; option.
+;openssl.cafile=
+
+; If openssl.cafile is not specified or if the CA file is not found, the
+; directory pointed to by openssl.capath is searched for a suitable
+; certificate. This value must be a correctly hashed certificate directory.
+; Most users should not specify a value for this directive as PHP will
+; attempt to use the OS-managed cert stores in its absence. If specified,
+; this value may still be overridden on a per-stream basis via the "capath"
+; SSL stream context option.
+;openssl.capath=
+
+[ffi]
+; see /etc/php.d/20-ffi.ini
diff --git a/SOURCES/php.modconf b/SOURCES/php.modconf
new file mode 100644
index 0000000..3377f72
--- /dev/null
+++ b/SOURCES/php.modconf
@@ -0,0 +1,12 @@
+#
+# PHP is an HTML-embedded scripting language which attempts to make it
+# easy for developers to write dynamically generated webpages.
+#
+
+# Cannot load both php5 and php7 modules
+<IfModule !mod_php5.c>
+ <IfModule prefork.c>
+ LoadModule php7_module modules/libphp7.so
+ </IfModule>
+</IfModule>
+
diff --git a/SPECS/php.spec b/SPECS/php.spec
new file mode 100644
index 0000000..35de9b7
--- /dev/null
+++ b/SPECS/php.spec
@@ -0,0 +1,3434 @@
+# Fedora spec file for php
+#
+# License: MIT
+# http://opensource.org/licenses/MIT
+#
+# Please preserve changelog entries
+#
+
+# API/ABI check
+%global apiver 20200930
+%global zendver 20200930
+%global pdover 20170320
+
+# we don't want -z defs linker flag
+%undefine _strict_symbol_defs_build
+
+# Adds -z now to the linker flags
+%global _hardened_build 1
+
+# version used for php embedded library soname
+%global embed_version 8.0
+
+%global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock)
+
+# Regression tests take a long time, you can skip 'em with this
+#global runselftest 0
+%{!?runselftest: %global runselftest 1}
+
+# Use the arch-specific mysql_config binary to avoid mismatch with the
+# arch detection heuristic used by bindir/mysql_config.
+%global mysql_config %{_libdir}/mysql/mysql_config
+
+# needed at srpm build time, when httpd-devel not yet installed
+%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}}
+
+%if 0%{?fedora}
+# Enabled by default on Fedora
+%bcond_without zts
+%bcond_without firebird
+%bcond_without freetds
+%bcond_without sodium
+%bcond_without pspell
+%bcond_without tidy
+%bcond_without db4
+%else
+# Disabled by default on RHEL
+%bcond_with zts
+%bcond_with firebird
+%bcond_with freetds
+%bcond_with sodium
+%bcond_with pspell
+%bcond_with tidy
+%bcond_with db4
+%endif
+%bcond_with modphp
+%bcond_with imap
+%bcond_without lmdb
+
+%global upver 8.0.13
+#global rcver RC1
+
+Summary: PHP scripting language for creating dynamic web sites
+Name: php
+Version: %{upver}%{?rcver:~%{rcver}}
+Release: 1%{?dist}
+# All files licensed under PHP version 3.01, except
+# Zend is licensed under Zend
+# TSRM is licensed under BSD
+# main/snprintf.c, main/spprintf.c and main/rfc1867.c are ASL 1.0
+# ext/date/lib is MIT
+# Zend/zend_sort is NCSA
+License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA
+URL: http://www.php.net/
+
+Source0: https://www.php.net/distributions/php-%{upver}%{?rcver}.tar.xz
+Source1: php.conf
+Source2: php.ini
+Source3: macros.php
+Source4: php-fpm.conf
+Source5: php-fpm-www.conf
+Source6: php-fpm.service
+Source7: php-fpm.logrotate
+Source9: php.modconf
+Source12: php-fpm.wants
+Source13: nginx-fpm.conf
+Source14: nginx-php.conf
+# See https://secure.php.net/gpg-keys.php
+Source20: https://www.php.net/distributions/php-keyring.gpg
+Source21: https://www.php.net/distributions/php-%{upver}%{?rcver}.tar.xz.asc
+# Configuration files for some extensions
+Source50: 10-opcache.ini
+Source51: opcache-default.blacklist
+Source53: 20-ffi.ini
+
+# Build fixes
+Patch1: php-7.4.0-httpd.patch
+Patch5: php-7.2.0-includedir.patch
+Patch6: php-8.0.0-embed.patch
+Patch8: php-7.4.0-libdb.patch
+# get rid of deprecated functions from 8.1
+Patch9: php-8.0.6-deprecated.patch
+
+# Functional changes
+# Use system nikic/php-parser
+Patch41: php-8.0.0-parser.patch
+# use system tzdata
+Patch42: php-8.0.10-systzdata-v20.patch
+# See http://bugs.php.net/53436
+Patch43: php-7.4.0-phpize.patch
+# Use -lldap_r for OpenLDAP
+Patch45: php-7.4.0-ldap_r.patch
+# drop "Configure command" from phpinfo output
+# and only use gcc (instead of full version)
+Patch47: php-8.0.0-phpinfo.patch
+# add sha256 / sha512 security protocol, from 8.1
+Patch48: php-8.0.10-snmp-sha.patch
+# switch phar to use sha256 signature by default, from 8.1
+# implement openssl_256 and openssl_512 for phar signatures, from 8.1
+Patch49: php-8.0.10-phar-sha.patch
+# compatibility with OpenSSL 3.0, from 8.1
+Patch50: php-8.0.10-openssl3.patch
+# use system libxcrypt
+Patch51: php-8.0.13-crypt.patch
+
+# Upstream fixes (100+)
+
+# Security fixes (200+)
+
+# Fixes for tests (300+)
+# Factory is droped from system tzdata
+Patch300: php-7.4.0-datetests.patch
+
+
+BuildRequires: gnupg2
+BuildRequires: bzip2-devel
+BuildRequires: pkgconfig(libcurl) >= 7.29.0
+BuildRequires: httpd-devel >= 2.0.46-1
+BuildRequires: pam-devel
+# to ensure we are using httpd with filesystem feature (see #1081453)
+BuildRequires: httpd-filesystem
+# to ensure we are using nginx with filesystem feature (see #1142298)
+BuildRequires: nginx-filesystem
+BuildRequires: libstdc++-devel
+# no pkgconfig to avoid compat-openssl10
+BuildRequires: openssl-devel >= 1.0.1
+BuildRequires: pkgconfig(sqlite3) >= 3.7.4
+BuildRequires: pkgconfig(zlib) >= 1.2.0.4
+BuildRequires: smtpdaemon
+BuildRequires: pkgconfig(libedit)
+BuildRequires: pkgconfig(libpcre2-8) >= 10.30
+BuildRequires: bzip2
+BuildRequires: perl-interpreter
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: make
+BuildRequires: gcc
+BuildRequires: gcc-c++
+BuildRequires: libtool
+BuildRequires: libtool-ltdl-devel
+BuildRequires: systemtap-sdt-devel
+# used for tests
+BuildRequires: %{_bindir}/ps
+
+%if %{with zts}
+Provides: php-zts = %{version}-%{release}
+Provides: php-zts%{?_isa} = %{version}-%{release}
+%endif
+
+%if %{with modphp}
+Requires: httpd-mmn = %{_httpd_mmn}
+Provides: mod_php = %{version}-%{release}
+# To ensure correct /var/lib/php/session ownership:
+Requires(pre): httpd-filesystem
+# php engine for Apache httpd webserver
+Provides: php(httpd)
+# mod_php is deprecated, no package should requires php or mod_php
+# all packages must requires used SAPI (cli, fpm, embded..)
+# and used extrensions (mysqli, mbstring, xmlwriter...)
+Provides: deprecated()
+%else
+# preserve old behavior
+Recommends: httpd
+%endif
+Requires: php-common%{?_isa} = %{version}-%{release}
+# For backwards-compatibility, pull the "php" command
+Recommends: php-cli%{?_isa} = %{version}-%{release}
+# httpd have threaded MPM by default
+Recommends: php-fpm%{?_isa} = %{version}-%{release}
+# as "php" is now mostly a meta-package, commonly used extensions
+# reduce diff with "dnf module install php"
+Recommends: php-mbstring%{?_isa} = %{version}-%{release}
+Recommends: php-opcache%{?_isa} = %{version}-%{release}
+Recommends: php-pdo%{?_isa} = %{version}-%{release}
+%if %{with sodium}
+Recommends: php-sodium%{?_isa} = %{version}-%{release}
+%endif
+Recommends: php-xml%{?_isa} = %{version}-%{release}
+
+
+%description
+PHP is an HTML-embedded scripting language. PHP attempts to make it
+easy for developers to write dynamically generated web pages. PHP also
+offers built-in database integration for several commercial and
+non-commercial database management systems, so writing a
+database-enabled webpage with PHP is fairly simple. The most common
+use of PHP coding is probably as a replacement for CGI scripts.
+%if %{with modphp}
+The php package contains the module (often referred to as mod_php)
+which adds support for the PHP language to Apache HTTP Server when
+running in prefork mode. This module is deprecated.
+%endif
+
+%package cli
+Summary: Command-line interface for PHP
+# sapi/cli/ps_title.c is PostgreSQL
+License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA and PostgreSQL
+Requires: php-common%{?_isa} = %{version}-%{release}
+Provides: php-cgi = %{version}-%{release}, php-cgi%{?_isa} = %{version}-%{release}
+Provides: php-pcntl, php-pcntl%{?_isa}
+Provides: php-readline, php-readline%{?_isa}
+
+%description cli
+The php-cli package contains the command-line interface
+executing PHP scripts, /usr/bin/php, and the CGI interface.
+
+
+%package dbg
+Summary: The interactive PHP debugger
+Requires: php-common%{?_isa} = %{version}-%{release}
+
+%description dbg
+The php-dbg package contains the interactive PHP debugger.
+
+
+%package fpm
+Summary: PHP FastCGI Process Manager
+BuildRequires: libacl-devel
+BuildRequires: pkgconfig(libsystemd) >= 209
+Requires: php-common%{?_isa} = %{version}-%{release}
+Requires(pre): /usr/sbin/useradd
+%{?systemd_requires}
+# To ensure correct /var/lib/php/session ownership:
+Requires(pre): httpd-filesystem
+# For php.conf in /etc/httpd/conf.d
+# and version 2.4.10 for proxy support in SetHandler
+Requires: httpd-filesystem >= 2.4.10
+# php engine for Apache httpd webserver
+Provides: php(httpd)
+# for /etc/nginx ownership
+Requires: nginx-filesystem
+
+%description fpm
+PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI
+implementation with some additional features useful for sites of
+any size, especially busier sites.
+
+%package common
+Summary: Common files for PHP
+# All files licensed under PHP version 3.01, except
+# fileinfo is licensed under PHP version 3.0
+# regex, libmagic are licensed under BSD
+License: PHP and BSD
+# ABI/API check - Arch specific
+Provides: php(api) = %{apiver}-%{__isa_bits}
+Provides: php(zend-abi) = %{zendver}-%{__isa_bits}
+Provides: php(language) = %{version}, php(language)%{?_isa} = %{version}
+# Provides for all builtin/shared modules:
+Provides: php-bz2, php-bz2%{?_isa}
+Provides: php-calendar, php-calendar%{?_isa}
+Provides: php-core = %{version}, php-core%{?_isa} = %{version}
+Provides: php-ctype, php-ctype%{?_isa}
+Provides: php-curl, php-curl%{?_isa}
+Provides: php-date, php-date%{?_isa}
+Provides: bundled(timelib)
+Provides: php-exif, php-exif%{?_isa}
+Provides: php-fileinfo, php-fileinfo%{?_isa}
+Provides: bundled(libmagic) = 5.29
+Provides: php-filter, php-filter%{?_isa}
+Provides: php-ftp, php-ftp%{?_isa}
+Provides: php-gettext, php-gettext%{?_isa}
+Provides: php-hash, php-hash%{?_isa}
+Provides: php-mhash = %{version}, php-mhash%{?_isa} = %{version}
+Provides: php-iconv, php-iconv%{?_isa}
+Obsoletes: php-json < 8
+Provides: php-json = %{version}, php-json%{?_isa} = %{version}
+Provides: php-libxml, php-libxml%{?_isa}
+Provides: php-openssl, php-openssl%{?_isa}
+Provides: php-phar, php-phar%{?_isa}
+Provides: php-pcre, php-pcre%{?_isa}
+Provides: php-reflection, php-reflection%{?_isa}
+Provides: php-session, php-session%{?_isa}
+Provides: php-sockets, php-sockets%{?_isa}
+Provides: php-spl, php-spl%{?_isa}
+Provides: php-standard = %{version}, php-standard%{?_isa} = %{version}
+Provides: php-tokenizer, php-tokenizer%{?_isa}
+Provides: php-zlib, php-zlib%{?_isa}
+
+%description common
+The php-common package contains files used by both the php
+package and the php-cli package.
+
+%package devel
+Summary: Files needed for building PHP extensions
+Requires: php-cli%{?_isa} = %{version}-%{release}
+# always needed to build extension
+Requires: autoconf
+Requires: automake
+Requires: make
+Requires: gcc
+Requires: gcc-c++
+Requires: libtool
+# see "php-config --libs"
+Requires: krb5-devel%{?_isa}
+Requires: libxml2-devel%{?_isa}
+Requires: openssl-devel%{?_isa} >= 1.0.1
+Requires: pcre2-devel%{?_isa}
+Requires: zlib-devel%{?_isa}
+%if %{with zts}
+Provides: php-zts-devel = %{version}-%{release}
+Provides: php-zts-devel%{?_isa} = %{version}-%{release}
+%endif
+Recommends: php-nikic-php-parser4 >= 4.3.0
+
+
+%description devel
+The php-devel package contains the files needed for building PHP
+extensions. If you need to compile your own PHP extensions, you will
+need to install this package.
+
+%package opcache
+Summary: The Zend OPcache
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}
+Provides: php-pecl-zendopcache = %{version}
+Provides: php-pecl-zendopcache%{?_isa} = %{version}
+Provides: php-pecl(opcache) = %{version}
+Provides: php-pecl(opcache)%{?_isa} = %{version}
+
+%description opcache
+The Zend OPcache provides faster PHP execution through opcode caching and
+optimization. It improves PHP performance by storing precompiled script
+bytecode in the shared memory. This eliminates the stages of reading code from
+the disk and compiling it on future access. In addition, it applies a few
+bytecode optimization patterns that make code execution faster.
+
+%if %{with imap}
+%package imap
+Summary: A module for PHP applications that use IMAP
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}
+BuildRequires: pkgconfig(krb5)
+BuildRequires: pkgconfig(krb5-gssapi)
+BuildRequires: openssl-devel >= 1.0.1
+BuildRequires: libc-client-devel
+
+%description imap
+The php-imap module will add IMAP (Internet Message Access Protocol)
+support to PHP. IMAP is a protocol for retrieving and uploading e-mail
+messages on mail servers. PHP is an HTML-embedded scripting language.
+%endif
+
+%package ldap
+Summary: A module for PHP applications that use LDAP
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}
+BuildRequires: pkgconfig(libsasl2)
+BuildRequires: openldap-devel
+BuildRequires: openssl-devel >= 1.0.1
+
+%description ldap
+The php-ldap adds Lightweight Directory Access Protocol (LDAP)
+support to PHP. LDAP is a set of protocols for accessing directory
+services over the Internet. PHP is an HTML-embedded scripting
+language.
+
+%package pdo
+Summary: A database access abstraction module for PHP applications
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}
+# ABI/API check - Arch specific
+Provides: php-pdo-abi = %{pdover}-%{__isa_bits}
+Provides: php(pdo-abi) = %{pdover}-%{__isa_bits}
+Provides: php-sqlite3, php-sqlite3%{?_isa}
+Provides: php-pdo_sqlite, php-pdo_sqlite%{?_isa}
+
+%description pdo
+The php-pdo package contains a dynamic shared object that will add
+a database access abstraction layer to PHP. This module provides
+a common interface for accessing MySQL, PostgreSQL or other
+databases.
+
+%package mysqlnd
+Summary: A module for PHP applications that use MySQL databases
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-pdo%{?_isa} = %{version}-%{release}
+Provides: php_database
+Provides: php-mysqli = %{version}-%{release}
+Provides: php-mysqli%{?_isa} = %{version}-%{release}
+Provides: php-pdo_mysql, php-pdo_mysql%{?_isa}
+
+%description mysqlnd
+The php-mysqlnd package contains a dynamic shared object that will add
+MySQL database support to PHP. MySQL is an object-relational database
+management system. PHP is an HTML-embeddable scripting language. If
+you need MySQL support for PHP applications, you will need to install
+this package and the php package.
+
+This package use the MySQL Native Driver
+
+%package pgsql
+Summary: A PostgreSQL database module for PHP
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-pdo%{?_isa} = %{version}-%{release}
+Provides: php_database
+Provides: php-pdo_pgsql, php-pdo_pgsql%{?_isa}
+BuildRequires: krb5-devel
+BuildRequires: openssl-devel >= 1.0.1
+BuildRequires: libpq-devel
+
+%description pgsql
+The php-pgsql package add PostgreSQL database support to PHP.
+PostgreSQL is an object-relational database management
+system that supports almost all SQL constructs. PHP is an
+HTML-embedded scripting language. If you need back-end support for
+PostgreSQL, you should install this package in addition to the main
+php package.
+
+%package process
+Summary: Modules for PHP script using system process interfaces
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}
+Provides: php-posix, php-posix%{?_isa}
+Provides: php-shmop, php-shmop%{?_isa}
+Provides: php-sysvsem, php-sysvsem%{?_isa}
+Provides: php-sysvshm, php-sysvshm%{?_isa}
+Provides: php-sysvmsg, php-sysvmsg%{?_isa}
+
+%description process
+The php-process package contains dynamic shared objects which add
+support to PHP using system interfaces for inter-process
+communication.
+
+%package odbc
+Summary: A module for PHP applications that use ODBC databases
+# All files licensed under PHP version 3.01, except
+# pdo_odbc is licensed under PHP version 3.0
+License: PHP
+Requires: php-pdo%{?_isa} = %{version}-%{release}
+Provides: php_database
+Provides: php-pdo_odbc, php-pdo_odbc%{?_isa}
+BuildRequires: unixODBC-devel
+
+%description odbc
+The php-odbc package contains a dynamic shared object that will add
+database support through ODBC to PHP. ODBC is an open specification
+which provides a consistent API for developers to use for accessing
+data sources (which are often, but not always, databases). PHP is an
+HTML-embeddable scripting language. If you need ODBC support for PHP
+applications, you will need to install this package and the php
+package.
+
+%package soap
+Summary: A module for PHP applications that use the SOAP protocol
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}
+BuildRequires: pkgconfig(libxml-2.0)
+
+%description soap
+The php-soap package contains a dynamic shared object that will add
+support to PHP for using the SOAP web services protocol.
+
+%if %{with firebird}
+%package pdo-firebird
+Summary: PDO driver for Interbase/Firebird databases
+# All files licensed under PHP version 3.01
+License: PHP
+# for fb_config command
+BuildRequires: firebird-devel
+Requires: php-pdo%{?_isa} = %{version}-%{release}
+Provides: php_database
+Provides: php-pdo_firebird, php-pdo_firebird%{?_isa}
+
+%description pdo-firebird
+The php-pdo-firebird package contains the PDO driver for
+Interbase/Firebird databases.
+%endif
+
+%package snmp
+Summary: A module for PHP applications that query SNMP-managed devices
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}, net-snmp
+BuildRequires: net-snmp-devel
+
+%description snmp
+The php-snmp package contains a dynamic shared object that will add
+support for querying SNMP devices to PHP. PHP is an HTML-embeddable
+scripting language. If you need SNMP support for PHP applications, you
+will need to install this package and the php package.
+
+%package xml
+Summary: A module for PHP applications which use XML
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}
+Provides: php-dom, php-dom%{?_isa}
+Provides: php-domxml, php-domxml%{?_isa}
+Provides: php-simplexml, php-simplexml%{?_isa}
+Provides: php-xmlreader, php-xmlreader%{?_isa}
+Provides: php-xmlwriter, php-xmlwriter%{?_isa}
+Provides: php-xsl, php-xsl%{?_isa}
+BuildRequires: pkgconfig(libxslt) >= 1.1
+BuildRequires: pkgconfig(libexslt)
+BuildRequires: pkgconfig(libxml-2.0) >= 2.7.6
+
+%description xml
+The php-xml package contains dynamic shared objects which add support
+to PHP for manipulating XML documents using the DOM tree,
+and performing XSL transformations on XML documents.
+
+%package mbstring
+Summary: A module for PHP applications which need multi-byte string handling
+# All files licensed under PHP version 3.01, except
+# libmbfl is licensed under LGPLv2
+# ucgendat is licensed under OpenLDAP
+License: PHP and LGPLv2 and OpenLDAP
+BuildRequires: pkgconfig(oniguruma) >= 6.8
+Provides: bundled(libmbfl) = 1.3.2
+Requires: php-common%{?_isa} = %{version}-%{release}
+
+%description mbstring
+The php-mbstring package contains a dynamic shared object that will add
+support for multi-byte string handling to PHP.
+
+%package gd
+Summary: A module for PHP applications for using the gd graphics library
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}
+BuildRequires: pkgconfig(gdlib) >= 2.1.1
+
+%description gd
+The php-gd package contains a dynamic shared object that will add
+support for using the gd graphics library to PHP.
+
+%package bcmath
+Summary: A module for PHP applications for using the bcmath library
+# All files licensed under PHP version 3.01, except
+# libbcmath is licensed under LGPLv2+
+License: PHP and LGPLv2+
+Requires: php-common%{?_isa} = %{version}-%{release}
+
+%description bcmath
+The php-bcmath package contains a dynamic shared object that will add
+support for using the bcmath library to PHP.
+
+%package gmp
+Summary: A module for PHP applications for using the GNU MP library
+# All files licensed under PHP version 3.01
+License: PHP
+BuildRequires: gmp-devel
+Requires: php-common%{?_isa} = %{version}-%{release}
+
+%description gmp
+These functions allow you to work with arbitrary-length integers
+using the GNU MP library.
+
+%package dba
+Summary: A database abstraction layer module for PHP applications
+# All files licensed under PHP version 3.01
+License: PHP
+%if %{with db4}
+BuildRequires: libdb-devel
+%endif
+BuildRequires: tokyocabinet-devel
+%if %{with lmdb}
+BuildRequires: lmdb-devel
+%endif
+Requires: php-common%{?_isa} = %{version}-%{release}
+
+%description dba
+The php-dba package contains a dynamic shared object that will add
+support for using the DBA database abstraction layer to PHP.
+
+%if %{with tidy}
+%package tidy
+Summary: Standard PHP module provides tidy library support
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}
+BuildRequires: libtidy-devel
+
+%description tidy
+The php-tidy package contains a dynamic shared object that will add
+support for using the tidy library to PHP.
+%endif
+
+%if %{with freetds}
+%package pdo-dblib
+Summary: PDO driver for Microsoft SQL Server and Sybase databases
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-pdo%{?_isa} = %{version}-%{release}
+BuildRequires: freetds-devel
+Provides: php-pdo_dblib, php-pdo_dblib%{?_isa}
+
+%description pdo-dblib
+The php-pdo-dblib package contains a dynamic shared object
+that implements the PHP Data Objects (PDO) interface to enable access from
+PHP to Microsoft SQL Server and Sybase databases through the FreeTDS library.
+%endif
+
+%package embedded
+Summary: PHP library for embedding in applications
+Requires: php-common%{?_isa} = %{version}-%{release}
+# doing a real -devel package for just the .so symlink is a bit overkill
+Provides: php-embedded-devel = %{version}-%{release}
+Provides: php-embedded-devel%{?_isa} = %{version}-%{release}
+
+%description embedded
+The php-embedded package contains a library which can be embedded
+into applications to provide PHP scripting language support.
+
+%if %{with pspell}
+%package pspell
+Summary: A module for PHP applications for using pspell interfaces
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}
+BuildRequires: aspell-devel >= 0.50.0
+
+%description pspell
+The php-pspell package contains a dynamic shared object that will add
+support for using the pspell library to PHP.
+%endif
+
+%package intl
+Summary: Internationalization extension for PHP applications
+# All files licensed under PHP version 3.01
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}
+BuildRequires: pkgconfig(icu-i18n) >= 50.1
+BuildRequires: pkgconfig(icu-io) >= 50.1
+BuildRequires: pkgconfig(icu-uc) >= 50.1
+
+%description intl
+The php-intl package contains a dynamic shared object that will add
+support for using the ICU library to PHP.
+
+%package enchant
+Summary: Enchant spelling extension for PHP applications
+# All files licensed under PHP version 3.0
+License: PHP
+Requires: php-common%{?_isa} = %{version}-%{release}
+BuildRequires: pkgconfig(enchant-2)
+
+%description enchant
+The php-enchant package contains a dynamic shared object that will add
+support for using the enchant library to PHP.
+
+%if %{with sodium}
+%package sodium
+Summary: Wrapper for the Sodium cryptographic library
+# All files licensed under PHP version 3.0.1
+License: PHP
+BuildRequires: pkgconfig(libsodium) >= 1.0.9
+
+Requires: php-common%{?_isa} = %{version}-%{release}
+Obsoletes: php-pecl-libsodium2 < 3
+Provides: php-pecl(libsodium) = %{version}
+Provides: php-pecl(libsodium)%{?_isa} = %{version}
+
+%description sodium
+The php-sodium package provides a simple,
+low-level PHP extension for the libsodium cryptographic library.
+%endif
+
+
+%package ffi
+Summary: Foreign Function Interface
+# All files licensed under PHP version 3.0.1
+License: PHP
+Group: System Environment/Libraries
+BuildRequires: pkgconfig(libffi)
+Requires: php-common%{?_isa} = %{version}-%{release}
+
+%description ffi
+FFI is one of the features that made Python and LuaJIT very useful for fast
+prototyping. It allows calling C functions and using C data types from pure
+scripting language and therefore develop “system code” more productively.
+
+For PHP, FFI opens a way to write PHP extensions and bindings to C libraries
+in pure PHP.
+
+
+%prep
+%{?gpgverify:%{gpgverify} --keyring='%{SOURCE20}' --signature='%{SOURCE21}' --data='%{SOURCE0}'}
+
+%setup -q -n php-%{upver}%{?rcver}
+
+%patch1 -p1 -b .mpmcheck
+%patch5 -p1 -b .includedir
+%patch6 -p1 -b .embed
+%patch8 -p1 -b .libdb
+%patch9 -p1 -b .deprecated
+
+%patch42 -p1 -b .systzdata
+%patch43 -p1 -b .headers
+%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
+%patch45 -p1 -b .ldap_r
+%endif
+%patch47 -p1 -b .phpinfo
+%patch48 -p1 -b .sha
+%patch49 -p1 -b .pharsha
+%patch50 -p1 -b .openssl3
+rm ext/openssl/tests/p12_with_extra_certs.p12
+%patch51 -p1 -b .libxcrypt
+
+# upstream patches
+
+# security patches
+
+# Fixes for tests
+%patch300 -p1 -b .datetests
+
+
+# Prevent %%doc confusion over LICENSE files
+cp Zend/LICENSE Zend/ZEND_LICENSE
+cp TSRM/LICENSE TSRM_LICENSE
+cp sapi/fpm/LICENSE fpm_LICENSE
+cp ext/mbstring/libmbfl/LICENSE libmbfl_LICENSE
+cp ext/fileinfo/libmagic/LICENSE libmagic_LICENSE
+cp ext/bcmath/libbcmath/LICENSE libbcmath_LICENSE
+cp ext/date/lib/LICENSE.rst timelib_LICENSE
+
+# Multiple builds for multiple SAPIs
+mkdir build-cgi build-embedded \
+%if %{with modphp}
+ build-apache \
+%endif
+%if %{with zts}
+ build-zts build-ztscli \
+%endif
+ build-fpm
+
+# ----- Manage known as failed test -------
+# affected by systzdata patch
+rm ext/date/tests/timezone_location_get.phpt
+rm ext/date/tests/timezone_version_get.phpt
+rm ext/date/tests/timezone_version_get_basic1.phpt
+# fails sometime
+rm ext/sockets/tests/mcast_ipv?_recv.phpt
+# cause stack exhausion
+rm Zend/tests/bug54268.phpt
+rm Zend/tests/bug68412.phpt
+# tar issue
+rm ext/zlib/tests/004-mb.phpt
+
+# Safety check for API version change.
+pver=$(sed -n '/#define PHP_VERSION /{s/.* "//;s/".*$//;p}' main/php_version.h)
+if test "x${pver}" != "x%{upver}%{?rcver}"; then
+ : Error: Upstream PHP version is now ${pver}, expecting %{upver}%{?rcver}.
+ : Update the version/rcver macros and rebuild.
+ exit 1
+fi
+
+vapi=`sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h`
+if test "x${vapi}" != "x%{apiver}"; then
+ : Error: Upstream API version is now ${vapi}, expecting %{apiver}.
+ : Update the apiver macro and rebuild.
+ exit 1
+fi
+
+vzend=`sed -n '/#define ZEND_MODULE_API_NO/{s/^[^0-9]*//;p;}' Zend/zend_modules.h`
+if test "x${vzend}" != "x%{zendver}"; then
+ : Error: Upstream Zend ABI version is now ${vzend}, expecting %{zendver}.
+ : Update the zendver macro and rebuild.
+ exit 1
+fi
+
+# Safety check for PDO ABI version change
+vpdo=`sed -n '/#define PDO_DRIVER_API/{s/.*[ ]//;p}' ext/pdo/php_pdo_driver.h`
+if test "x${vpdo}" != "x%{pdover}"; then
+ : Error: Upstream PDO ABI version is now ${vpdo}, expecting %{pdover}.
+ : Update the pdover macro and rebuild.
+ exit 1
+fi
+
+# https://bugs.php.net/63362 - Not needed but installed headers.
+# Drop some Windows specific headers to avoid installation,
+# before build to ensure they are really not needed.
+rm -f TSRM/tsrm_win32.h \
+ TSRM/tsrm_config.w32.h \
+ Zend/zend_config.w32.h \
+ ext/mysqlnd/config-win.h \
+ ext/standard/winver.h \
+ main/win32_internal_function_disabled.h \
+ main/win95nt.h
+
+# Fix some bogus permissions
+find . -name \*.[ch] -exec chmod 644 {} \;
+chmod 644 README.*
+
+# Some extensions have their own configuration file
+cp %{SOURCE50} %{SOURCE51} %{SOURCE53} .
+
+
+%build
+# This package fails to build with LTO due to undefined symbols. LTO
+# was disabled in OpenSuSE as well, but with no real explanation why
+# beyond the undefined symbols. It really shold be investigated further.
+# Disable LTO
+%define _lto_cflags %{nil}
+
+# Set build date from https://reproducible-builds.org/specs/source-date-epoch/
+export SOURCE_DATE_EPOCH=$(date +%s -r NEWS)
+export PHP_UNAME=$(uname)
+export PHP_BUILD_SYSTEM=$(cat /etc/redhat-release | sed -e 's/ Beta//')
+%if 0%{?vendor:1}
+export PHP_BUILD_PROVIDER="%{vendor}"
+%endif
+export PHP_BUILD_COMPILER="$(gcc --version | head -n1)"
+export PHP_BUILD_ARCH="%{_arch}"
+
+# Force use of system libtool:
+libtoolize --force --copy
+cat `aclocal --print-ac-dir`/{libtool,ltoptions,ltsugar,ltversion,lt~obsolete}.m4 >build/libtool.m4
+
+# Regenerate configure scripts (patches change config.m4's)
+touch configure.ac
+./buildconf --force
+
+CFLAGS=$(echo $RPM_OPT_FLAGS -fno-strict-aliasing -Wno-pointer-sign | sed 's/-mstackrealign//')
+export CFLAGS
+
+# Install extension modules in %%{_libdir}/php/modules.
+EXTENSION_DIR=%{_libdir}/php/modules; export EXTENSION_DIR
+
+# Set PEAR_INSTALLDIR to ensure that the hard-coded include_path
+# includes the PEAR directory even though pear is packaged
+# separately.
+PEAR_INSTALLDIR=%{_datadir}/pear; export PEAR_INSTALLDIR
+
+# Shell function to configure and build a PHP tree.
+build() {
+# Old/recent bison version seems to produce a broken parser;
+# upstream uses GNU Bison 2.3. Workaround:
+mkdir Zend && cp ../Zend/zend_{language,ini}_{parser,scanner}.[ch] Zend
+
+# Always static:
+# date, ereg, filter, libxml, reflection, spl: not supported
+# hash: for PHAR_SIG_SHA256 and PHAR_SIG_SHA512
+# session: dep on hash, used by soap
+# pcre: used by filter, zip
+# pcntl, readline: only used by CLI sapi
+# openssl: for PHAR_SIG_OPENSSL
+# zlib: used by image
+
+ln -sf ../configure
+%configure \
+ --enable-rtld-now \
+ --cache-file=../config.cache \
+ --with-libdir=%{_lib} \
+ --with-config-file-path=%{_sysconfdir} \
+ --with-config-file-scan-dir=%{_sysconfdir}/php.d \
+ --disable-debug \
+ --with-pic \
+ --disable-rpath \
+ --without-pear \
+ --with-exec-dir=%{_bindir} \
+ --without-gdbm \
+ --with-openssl \
+ --with-system-ciphers \
+ --with-external-pcre \
+ --with-external-libcrypt \
+%ifarch s390 s390x sparc64 sparcv9 riscv64
+ --without-pcre-jit \
+%endif
+ --with-zlib \
+ --with-layout=GNU \
+ --with-kerberos \
+ --with-libxml \
+ --with-system-tzdata \
+ --with-mhash \
+ --without-password-argon2 \
+ --enable-dtrace \
+ $*
+if test $? != 0; then
+ tail -500 config.log
+ : configure failed
+ exit 1
+fi
+
+%make_build
+}
+
+# Build /usr/bin/php-cgi with the CGI SAPI, and most shared extensions
+pushd build-cgi
+
+build --libdir=%{_libdir}/php \
+ --enable-pcntl \
+ --enable-opcache \
+ --enable-phpdbg \
+%if %{with imap}
+ --with-imap=shared --with-imap-ssl \
+%endif
+ --enable-mbstring=shared \
+ --enable-mbregex \
+ --enable-gd=shared \
+ --with-external-gd \
+ --with-gmp=shared \
+ --enable-calendar=shared \
+ --enable-bcmath=shared \
+ --with-bz2=shared \
+ --enable-ctype=shared \
+ --enable-dba=shared \
+%if %{with db4}
+ --with-db4=%{_prefix} \
+%endif
+ --with-tcadb=%{_prefix} \
+%if %{with lmdb}
+ --with-lmdb=%{_prefix} \
+%endif
+ --enable-exif=shared \
+ --enable-ftp=shared \
+ --with-gettext=shared \
+ --with-iconv=shared \
+ --enable-sockets=shared \
+ --enable-tokenizer=shared \
+ --with-ldap=shared --with-ldap-sasl \
+ --enable-mysqlnd=shared \
+ --with-mysqli=shared,mysqlnd \
+ --with-mysql-sock=%{mysql_sock} \
+%if %{with firebird}
+ --with-pdo-firebird=shared \
+%endif
+ --enable-dom=shared \
+ --with-pgsql=shared \
+ --enable-simplexml=shared \
+ --enable-xml=shared \
+ --with-snmp=shared,%{_prefix} \
+ --enable-soap=shared \
+ --with-xsl=shared,%{_prefix} \
+ --enable-xmlreader=shared --enable-xmlwriter=shared \
+ --with-curl=shared \
+ --enable-pdo=shared \
+ --with-pdo-odbc=shared,unixODBC,%{_prefix} \
+ --with-pdo-mysql=shared,mysqlnd \
+ --with-pdo-pgsql=shared,%{_prefix} \
+ --with-pdo-sqlite=shared \
+%if %{with freetds}
+ --with-pdo-dblib=shared,%{_prefix} \
+%endif
+ --with-sqlite3=shared \
+ --without-readline \
+ --with-libedit \
+%if %{with pspell}
+ --with-pspell=shared \
+%endif
+ --enable-phar=shared \
+%if %{with tidy}
+ --with-tidy=shared,%{_prefix} \
+%endif
+ --enable-sysvmsg=shared --enable-sysvshm=shared --enable-sysvsem=shared \
+ --enable-shmop=shared \
+ --enable-posix=shared \
+ --with-unixODBC=shared,%{_prefix} \
+ --enable-fileinfo=shared \
+ --with-ffi=shared \
+%if %{with sodium}
+ --with-sodium=shared \
+%else
+ --without-sodium \
+%endif
+ --enable-intl=shared \
+ --with-enchant=shared
+popd
+
+without_shared="--without-gd \
+ --disable-dom --disable-dba --without-unixODBC \
+ --disable-opcache \
+ --disable-phpdbg \
+ --without-ffi \
+ --disable-xmlreader --disable-xmlwriter \
+ --without-sodium \
+ --without-sqlite3 --disable-phar --disable-fileinfo \
+ --without-pspell \
+ --without-curl --disable-posix --disable-xml \
+ --disable-simplexml --disable-exif --without-gettext \
+ --without-iconv --disable-ftp --without-bz2 --disable-ctype \
+ --disable-shmop --disable-sockets --disable-tokenizer \
+ --disable-sysvmsg --disable-sysvshm --disable-sysvsem"
+
+%if %{with modphp}
+# Build Apache module, and the CLI SAPI, /usr/bin/php
+pushd build-apache
+build --with-apxs2=%{_httpd_apxs} \
+ --libdir=%{_libdir}/php \
+ --without-mysqli \
+ --disable-pdo \
+ ${without_shared}
+popd
+%endif
+
+# Build php-fpm
+pushd build-fpm
+build --enable-fpm \
+ --with-fpm-acl \
+ --with-fpm-systemd \
+ --libdir=%{_libdir}/php \
+ --without-mysqli \
+ --disable-pdo \
+ ${without_shared}
+popd
+
+# Build for inclusion as embedded script language into applications,
+# /usr/lib[64]/libphp7.so
+pushd build-embedded
+build --enable-embed \
+ --without-mysqli --disable-pdo \
+ ${without_shared}
+popd
+
+%if %{with zts}
+# Build a special thread-safe (mainly for modules)
+pushd build-ztscli
+
+EXTENSION_DIR=%{_libdir}/php-zts/modules
+build --includedir=%{_includedir}/php-zts \
+ --libdir=%{_libdir}/php-zts \
+ --enable-zts \
+ --program-prefix=zts- \
+ --disable-cgi \
+ --with-config-file-scan-dir=%{_sysconfdir}/php-zts.d \
+ --enable-pcntl \
+ --enable-opcache \
+%if %{with imap}
+ --with-imap=shared --with-imap-ssl \
+%endif
+ --enable-mbstring=shared \
+ --enable-mbregex \
+ --enable-gd=shared \
+ --with-external-gd \
+ --with-gmp=shared \
+ --enable-calendar=shared \
+ --enable-bcmath=shared \
+ --with-bz2=shared \
+ --enable-ctype=shared \
+ --enable-dba=shared \
+%if %{with db4}
+ --with-db4=%{_prefix} \
+%endif
+ --with-tcadb=%{_prefix} \
+%if %{with lmdb}
+ --with-lmdb=%{_prefix} \
+%endif
+ --with-gettext=shared \
+ --with-iconv=shared \
+ --enable-sockets=shared \
+ --enable-tokenizer=shared \
+ --enable-exif=shared \
+ --enable-ftp=shared \
+ --with-ldap=shared --with-ldap-sasl \
+ --enable-mysqlnd=shared \
+ --with-mysqli=shared,mysqlnd \
+ --with-mysql-sock=%{mysql_sock} \
+ --enable-mysqlnd-threading \
+%if %{with firebird}
+ --with-pdo-firebird=shared \
+%endif
+ --enable-dom=shared \
+ --with-pgsql=shared \
+ --enable-simplexml=shared \
+ --enable-xml=shared \
+ --with-snmp=shared,%{_prefix} \
+ --enable-soap=shared \
+ --with-xsl=shared,%{_prefix} \
+ --enable-xmlreader=shared --enable-xmlwriter=shared \
+ --with-curl=shared \
+ --enable-pdo=shared \
+ --with-pdo-odbc=shared,unixODBC,%{_prefix} \
+ --with-pdo-mysql=shared,mysqlnd \
+ --with-pdo-pgsql=shared,%{_prefix} \
+ --with-pdo-sqlite=shared \
+%if %{with freetds}
+ --with-pdo-dblib=shared,%{_prefix} \
+%endif
+ --with-sqlite3=shared \
+ --without-readline \
+ --with-libedit \
+%if %{with pspell}
+ --with-pspell=shared \
+%endif
+ --enable-phar=shared \
+%if %{with tidy}
+ --with-tidy=shared,%{_prefix} \
+%endif
+ --enable-sysvmsg=shared --enable-sysvshm=shared --enable-sysvsem=shared \
+ --enable-shmop=shared \
+ --enable-posix=shared \
+ --with-unixODBC=shared,%{_prefix} \
+ --enable-fileinfo=shared \
+ --with-ffi=shared \
+%if %{with sodium}
+ --with-sodium=shared \
+%else
+ --without-sodium \
+%endif
+ --enable-intl=shared \
+ --with-enchant=shared
+popd
+
+### NOTE!!! EXTENSION_DIR was changed for the -zts build, so it must remain
+### the last SAPI to be built.
+%endif
+
+
+%check
+: Ensure proper NTS/ZTS build
+$RPM_BUILD_ROOT%{_bindir}/php -n -v | grep NTS
+%if %{with zts}
+$RPM_BUILD_ROOT%{_bindir}/zts-php -n -v | grep ZTS
+%endif
+
+%if %runselftest
+cd build-fpm
+
+# Run tests, using the CLI SAPI
+export NO_INTERACTION=1 REPORT_EXIT_STATUS=1 MALLOC_CHECK_=2
+export SKIP_ONLINE_TESTS=1
+export SKIP_IO_CAPTURE_TESTS=1
+unset TZ LANG LC_ALL
+if ! make test TESTS=-j4; then
+ set +x
+ for f in $(find .. -name \*.diff -type f -print); do
+ if ! grep -q XFAIL "${f/.diff/.phpt}"
+ then
+ echo "TEST FAILURE: $f --"
+ cat "$f"
+ echo -e "\n-- $f result ends."
+ fi
+ done
+ set -x
+ #exit 1
+fi
+unset NO_INTERACTION REPORT_EXIT_STATUS MALLOC_CHECK_
+%endif
+
+%install
+%if %{with zts}
+# Install the extensions for the ZTS version
+make -C build-ztscli install \
+ INSTALL_ROOT=$RPM_BUILD_ROOT
+%endif
+
+# Install the version for embedded script language in applications + php_embed.h
+make -C build-embedded install-sapi install-headers \
+ INSTALL_ROOT=$RPM_BUILD_ROOT
+
+# Install the php-fpm binary
+make -C build-fpm install-fpm \
+ INSTALL_ROOT=$RPM_BUILD_ROOT
+
+# Install everything from the CGI SAPI build
+make -C build-cgi install \
+ INSTALL_ROOT=$RPM_BUILD_ROOT
+
+# Use php-config from embed SAPI to reduce used libs
+install -m 755 build-embedded/scripts/php-config $RPM_BUILD_ROOT%{_bindir}/php-config
+
+# Install the default configuration file
+install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/
+install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/php.ini
+
+# For third-party packaging:
+install -m 755 -d $RPM_BUILD_ROOT%{_datadir}/php/preload
+
+%if %{with modphp}
+# install the DSO
+install -m 755 -d $RPM_BUILD_ROOT%{_httpd_moddir}
+install -m 755 build-apache/libs/libphp.so $RPM_BUILD_ROOT%{_httpd_moddir}
+%endif
+
+# Apache config fragment
+# Dual config file with httpd >= 2.4 (fedora >= 18)
+%if %{with modphp}
+install -D -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_httpd_modconfdir}/20-php.conf
+%endif
+install -D -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_httpd_confdir}/php.conf
+
+install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/php.d
+%if %{with zts}
+install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/php-zts.d
+%endif
+install -m 755 -d $RPM_BUILD_ROOT%{_sharedstatedir}/php
+install -m 755 -d $RPM_BUILD_ROOT%{_sharedstatedir}/php/peclxml
+install -m 700 -d $RPM_BUILD_ROOT%{_sharedstatedir}/php/session
+install -m 700 -d $RPM_BUILD_ROOT%{_sharedstatedir}/php/wsdlcache
+install -m 700 -d $RPM_BUILD_ROOT%{_sharedstatedir}/php/opcache
+
+install -m 755 -d $RPM_BUILD_ROOT%{_docdir}/pecl
+install -m 755 -d $RPM_BUILD_ROOT%{_datadir}/tests/pecl
+
+# PHP-FPM stuff
+# Log
+install -m 755 -d $RPM_BUILD_ROOT%{_localstatedir}/log/php-fpm
+install -m 755 -d $RPM_BUILD_ROOT/run/php-fpm
+# Config
+install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.d
+install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.conf
+install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.d/www.conf
+mv $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.conf.default .
+mv $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.d/www.conf.default .
+# install systemd unit files and scripts for handling server startup
+install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/php-fpm.service.d
+install -Dm 644 %{SOURCE6} $RPM_BUILD_ROOT%{_unitdir}/php-fpm.service
+install -Dm 644 %{SOURCE12} $RPM_BUILD_ROOT%{_unitdir}/httpd.service.d/php-fpm.conf
+install -Dm 644 %{SOURCE12} $RPM_BUILD_ROOT%{_unitdir}/nginx.service.d/php-fpm.conf
+# LogRotate
+install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d
+install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/php-fpm
+# Nginx configuration
+install -D -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{_sysconfdir}/nginx/conf.d/php-fpm.conf
+install -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_sysconfdir}/nginx/default.d/php.conf
+
+TESTCMD="$RPM_BUILD_ROOT%{_bindir}/php --no-php-ini"
+# Ensure all provided extensions are really there
+for mod in core date filter hash libxml openssl pcntl pcre readline reflection session spl standard zlib
+do
+ $TESTCMD --modules | grep -qi $mod
+done
+
+TESTCMD="$TESTCMD --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/php/modules"
+
+# Generate files lists and stub .ini files for each subpackage
+for mod in pgsql odbc ldap snmp \
+%if %{with imap}
+ imap \
+%endif
+ mysqlnd mysqli \
+ mbstring gd dom xsl soap bcmath dba \
+ simplexml bz2 calendar ctype exif ftp gettext gmp iconv \
+ sockets tokenizer opcache \
+ sqlite3 \
+ enchant phar fileinfo intl \
+ ffi \
+%if %{with tidy}
+ tidy \
+%endif
+%if %{with pspell}
+ pspell \
+%endif
+ curl \
+%if %{with sodium}
+ sodium \
+%endif
+ posix shmop sysvshm sysvsem sysvmsg xml \
+ pdo pdo_mysql pdo pdo_pgsql pdo_odbc pdo_sqlite \
+%if %{with firebird}
+ pdo_firebird \
+%endif
+%if %{with freetds}
+ pdo_dblib \
+%endif
+ xmlreader xmlwriter
+do
+ case $mod in
+ opcache)
+ # Zend extensions
+ TESTCMD="$TESTCMD --define zend_extension=$mod"
+ ini=10-${mod}.ini;;
+ pdo_*|mysqli|xmlreader)
+ # Extensions with dependencies on 20-*
+ TESTCMD="$TESTCMD --define extension=$mod"
+ ini=30-${mod}.ini;;
+ *)
+ # Extensions with no dependency
+ TESTCMD="$TESTCMD --define extension=$mod"
+ ini=20-${mod}.ini;;
+ esac
+
+ $TESTCMD --modules | grep -qi $mod
+
+ # some extensions have their own config file
+ if [ -f ${ini} ]; then
+ cp -p ${ini} $RPM_BUILD_ROOT%{_sysconfdir}/php.d/${ini}
+%if %{with zts}
+ cp -p ${ini} $RPM_BUILD_ROOT%{_sysconfdir}/php-zts.d/${ini}
+%endif
+ else
+ cat > $RPM_BUILD_ROOT%{_sysconfdir}/php.d/${ini} <<EOF
+; Enable ${mod} extension module
+extension=${mod}
+EOF
+%if %{with zts}
+ cat > $RPM_BUILD_ROOT%{_sysconfdir}/php-zts.d/${ini} <<EOF
+; Enable ${mod} extension module
+extension=${mod}
+EOF
+%endif
+ fi
+ cat > files.${mod} <<EOF
+%{_libdir}/php/modules/${mod}.so
+%config(noreplace) %{_sysconfdir}/php.d/${ini}
+%if %{with zts}
+%{_libdir}/php-zts/modules/${mod}.so
+%config(noreplace) %{_sysconfdir}/php-zts.d/${ini}
+%endif
+EOF
+done
+
+# The dom, xsl and xml* modules are all packaged in php-xml
+cat files.dom files.xsl files.xml{reader,writer} \
+ files.simplexml >> files.xml
+
+# mysqlnd
+cat files.mysqli \
+ files.pdo_mysql \
+ >> files.mysqlnd
+
+# Split out the PDO modules
+cat files.pdo_pgsql >> files.pgsql
+cat files.pdo_odbc >> files.odbc
+
+# sysv* and posix in packaged in php-process
+cat files.shmop files.sysv* files.posix > files.process
+
+# Package sqlite3 and pdo_sqlite with pdo; isolating the sqlite dependency
+# isn't useful at this time since rpm itself requires sqlite.
+cat files.pdo_sqlite >> files.pdo
+cat files.sqlite3 >> files.pdo
+
+# Package curl, phar and fileinfo in -common.
+cat files.curl files.phar files.fileinfo \
+ files.exif files.gettext files.iconv files.calendar \
+ files.ftp files.bz2 files.ctype files.sockets \
+ files.tokenizer > files.common
+
+# The default Zend OPcache blacklist file
+install -m 644 %{SOURCE51} $RPM_BUILD_ROOT%{_sysconfdir}/php.d/opcache-default.blacklist
+%if %{with zts}
+install -m 644 %{SOURCE51} $RPM_BUILD_ROOT%{_sysconfdir}/php-zts.d/opcache-default.blacklist
+sed -e '/blacklist_filename/s/php.d/php-zts.d/' \
+ -i $RPM_BUILD_ROOT%{_sysconfdir}/php-zts.d/10-opcache.ini
+%endif
+
+# Install the macros file:
+sed -e "s/@PHP_APIVER@/%{apiver}-%{__isa_bits}/" \
+ -e "s/@PHP_ZENDVER@/%{zendver}-%{__isa_bits}/" \
+ -e "s/@PHP_PDOVER@/%{pdover}-%{__isa_bits}/" \
+ -e "s/@PHP_VERSION@/%{upver}/" \
+%if ! %{with zts}
+ -e "/zts/d" \
+%endif
+ < %{SOURCE3} > macros.php
+install -m 644 -D macros.php \
+ $RPM_BUILD_ROOT%{_rpmmacrodir}/macros.php
+
+# Remove unpackaged files
+rm -rf $RPM_BUILD_ROOT%{_libdir}/php/modules/*.a \
+ $RPM_BUILD_ROOT%{_libdir}/php-zts/modules/*.a \
+ $RPM_BUILD_ROOT%{_bindir}/{phptar} \
+ $RPM_BUILD_ROOT%{_datadir}/pear \
+ $RPM_BUILD_ROOT%{_bindir}/zts-phar* \
+ $RPM_BUILD_ROOT%{_mandir}/man1/zts-phar* \
+ $RPM_BUILD_ROOT%{_libdir}/libphp.a \
+ $RPM_BUILD_ROOT%{_libdir}/libphp.la
+
+# Remove irrelevant docs
+rm -f README.{Zeus,QNX,CVS-RULES}
+
+
+%post fpm
+%systemd_post php-fpm.service
+
+%preun fpm
+%systemd_preun php-fpm.service
+
+# Raised by new pool installation or new extension installation
+%transfiletriggerin fpm -- %{_sysconfdir}/php-fpm.d %{_sysconfdir}/php.d
+systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
+
+
+%files
+%if %{with modphp}
+%{_httpd_moddir}/libphp.so
+%config(noreplace) %{_httpd_modconfdir}/20-php.conf
+%attr(0770,root,apache) %dir %{_sharedstatedir}/php/session
+%attr(0770,root,apache) %dir %{_sharedstatedir}/php/wsdlcache
+%attr(0770,root,apache) %dir %{_sharedstatedir}/php/opcache
+%config(noreplace) %{_httpd_confdir}/php.conf
+%endif
+
+%files common -f files.common
+%doc EXTENSIONS NEWS UPGRADING* README.REDIST.BINS *md docs
+%license LICENSE TSRM_LICENSE
+%license libmagic_LICENSE
+%license timelib_LICENSE
+%doc php.ini-*
+%config(noreplace) %{_sysconfdir}/php.ini
+%dir %{_sysconfdir}/php.d
+%dir %{_libdir}/php
+%dir %{_libdir}/php/modules
+%if %{with zts}
+%dir %{_sysconfdir}/php-zts.d
+%dir %{_libdir}/php-zts
+%dir %{_libdir}/php-zts/modules
+%endif
+%dir %{_sharedstatedir}/php
+%dir %{_sharedstatedir}/php/peclxml
+%dir %{_datadir}/php
+%dir %{_docdir}/pecl
+%dir %{_datadir}/tests
+%dir %{_datadir}/tests/pecl
+
+%files cli
+%{_bindir}/php
+%if %{with zts}
+%{_bindir}/zts-php
+%{_mandir}/man1/zts-php.1*
+%endif
+%{_bindir}/php-cgi
+%{_bindir}/phar.phar
+%{_bindir}/phar
+# provides phpize here (not in -devel) for pecl command
+%{_bindir}/phpize
+%{_mandir}/man1/php.1*
+%{_mandir}/man1/php-cgi.1*
+%{_mandir}/man1/phar.1*
+%{_mandir}/man1/phar.phar.1*
+%{_mandir}/man1/phpize.1*
+
+%files dbg
+%doc sapi/phpdbg/CREDITS
+%{_bindir}/phpdbg
+%{_mandir}/man1/phpdbg.1*
+%if %{with zts}
+%{_bindir}/zts-phpdbg
+%{_mandir}/man1/zts-phpdbg.1*
+%endif
+
+%files fpm
+%doc php-fpm.conf.default www.conf.default
+%license fpm_LICENSE
+%attr(0770,root,apache) %dir %{_sharedstatedir}/php/session
+%attr(0770,root,apache) %dir %{_sharedstatedir}/php/wsdlcache
+%attr(0770,root,apache) %dir %{_sharedstatedir}/php/opcache
+%config(noreplace) %{_httpd_confdir}/php.conf
+%config(noreplace) %{_sysconfdir}/php-fpm.conf
+%config(noreplace) %{_sysconfdir}/php-fpm.d/www.conf
+%config(noreplace) %{_sysconfdir}/logrotate.d/php-fpm
+%config(noreplace) %{_sysconfdir}/nginx/conf.d/php-fpm.conf
+%config(noreplace) %{_sysconfdir}/nginx/default.d/php.conf
+%{_unitdir}/php-fpm.service
+%{_unitdir}/httpd.service.d/php-fpm.conf
+%{_unitdir}/nginx.service.d/php-fpm.conf
+%{_sbindir}/php-fpm
+%dir %{_sysconfdir}/systemd/system/php-fpm.service.d
+%dir %{_sysconfdir}/php-fpm.d
+# log owned by apache for log
+%attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm
+%dir %ghost /run/php-fpm
+%{_mandir}/man8/php-fpm.8*
+%dir %{_datadir}/fpm
+%{_datadir}/fpm/status.html
+
+%files devel
+%{_bindir}/php-config
+%{_includedir}/php
+%{_libdir}/php/build
+%if %{with zts}
+%{_bindir}/zts-php-config
+%{_bindir}/zts-phpize
+%{_includedir}/php-zts
+%{_libdir}/php-zts/build
+%{_mandir}/man1/zts-php-config.1*
+%{_mandir}/man1/zts-phpize.1*
+%endif
+%{_mandir}/man1/php-config.1*
+%{_rpmmacrodir}/macros.php
+
+%files embedded
+%{_libdir}/libphp.so
+%{_libdir}/libphp-%{embed_version}.so
+
+%files pgsql -f files.pgsql
+%files odbc -f files.odbc
+%if %{with imap}
+%files imap -f files.imap
+%endif
+%files ldap -f files.ldap
+%files snmp -f files.snmp
+%files xml -f files.xml
+%files mbstring -f files.mbstring
+%license libmbfl_LICENSE
+%files gd -f files.gd
+%files soap -f files.soap
+%files bcmath -f files.bcmath
+%license libbcmath_LICENSE
+%files gmp -f files.gmp
+%files dba -f files.dba
+%files pdo -f files.pdo
+%if %{with tidy}
+%files tidy -f files.tidy
+%endif
+%if %{with freetds}
+%files pdo-dblib -f files.pdo_dblib
+%endif
+%if %{with pspell}
+%files pspell -f files.pspell
+%endif
+%files intl -f files.intl
+%files process -f files.process
+%if %{with firebird}
+%files pdo-firebird -f files.pdo_firebird
+%endif
+%files enchant -f files.enchant
+%files mysqlnd -f files.mysqlnd
+%files opcache -f files.opcache
+%config(noreplace) %{_sysconfdir}/php.d/opcache-default.blacklist
+%if %{with zts}
+%config(noreplace) %{_sysconfdir}/php-zts.d/opcache-default.blacklist
+%endif
+%if %{with sodium}
+%files sodium -f files.sodium
+%endif
+%files ffi -f files.ffi
+%dir %{_datadir}/php/preload
+
+
+%changelog
+* Wed Dec 15 2021 Remi Collet <rcollet@redhat.com> - 8.0.13-1
+- rebase to 8.0.13 #2032429
+- refresh configuration files from upstream
+
+* Tue Oct 26 2021 Remi Collet <rcollet@redhat.com> - 8.0.12-1
+- rebase to 8.0.12 #2017111 #1981423
+- build using system libxcrypt #2015903
+
+* Tue Sep 14 2021 Remi Collet <rcollet@redhat.com> - 8.0.10-1
+- rebase to 8.0.10 #1992513
+- compatibility with OpenSSL 3.0 #1992492
+- snmp: add sha256 / sha512 security protocol #1936635
+- phar: implement openssl_256 and openssl_512 for phar signatures
+- phar: use sha256 signature by default
+
+* Thu Aug 19 2021 DJ Delorie <dj@redhat.com> - 8.0.6-9
+- Rebuilt for libffi 3.4.2 SONAME transition.
+ Related: rhbz#1891914
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 8.0.6-8
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+ Related: rhbz#1991688
+
+* Fri Aug 6 2021 Florian Weimer <fweimer@redhat.com> - 8.0.6-7
+- Rebuild to pick up new build flags from redhat-rpm-config (#1984652)
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 8.0.6-6
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+ Related: rhbz#1971065
+
+* Mon May 31 2021 Remi Collet <rcollet@redhat.com> - 8.0.6-5
+- fix build with net-snmp without DES #1953492
+
+* Tue May 18 2021 Remi Collet <rcollet@redhat.com> - 8.0.6-4
+- fix build with openssl 3.0 #1953492
+
+* Sat May 8 2021 Remi Collet <remi@remirepo.net> - 8.0.6-3
+- get rid of inet_addr and gethostbyaddr calls
+
+* Thu May 6 2021 Remi Collet <remi@remirepo.net> - 8.0.6-2
+- get rid of inet_ntoa and inet_aton calls
+
+* Wed May 5 2021 Remi Collet <remi@remirepo.net> - 8.0.6-1
+- Update to 8.0.6 - http://www.php.net/releases/8_0_6.php
+
+* Tue Apr 27 2021 Remi Collet <remi@remirepo.net> - 8.0.5-1
+- Update to 8.0.5 - http://www.php.net/releases/8_0_5.php
+
+* Tue Apr 13 2021 Remi Collet <remi@remirepo.net> - 8.0.5~RC1-1
+- update to 8.0.5RC1
+
+* Fri Mar 19 2021 Remi Collet <remi@remirepo.net> - 8.0.4~RC1-2
+- make libdb usage conditional
+ default: on for Fedora, off for RHEL
+
+* Tue Mar 16 2021 Remi Collet <remi@remirepo.net> - 8.0.4~RC1-1
+- update to 8.0.4RC1
+
+* Mon Mar 15 2021 Remi Collet <remi@remirepo.net> - 8.0.3-2
+- clean conditions
+
+* Thu Mar 4 2021 Remi Collet <remi@remirepo.net> - 8.0.3-1
+- Update to 8.0.3 - http://www.php.net/releases/8_0_3.php
+- see https://fedoraproject.org/wiki/Changes/php80
+- drop xmlrpc extension
+- drop json subpackage, extension always there
+- enchant: use libenchant-2 instead of libenchant
+
+* Tue Mar 2 2021 Remi Collet <remi@remirepo.net> - 7.4.16-1
+- Update to 7.4.16 - http://www.php.net/releases/7_4_16.php
+
+* Wed Feb 24 2021 Remi Collet <remi@remirepo.net> - 7.4.15-3
+- drop php-imap, fix #1929640
+
+* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 7.4.15-2
+- rebuild for libpq ABI fix rhbz#1908268
+
+* Tue Feb 2 2021 Remi Collet <remi@remirepo.net> - 7.4.15-1
+- Update to 7.4.15 - http://www.php.net/releases/7_4_15.php
+- add upstream patch for https://bugs.php.net/80682
+ fix opcache doesn't honour pcre.jit option
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.4.15~RC2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jan 19 2021 Remi Collet <remi@remirepo.net> - 7.4.15~RC2-1
+- update to 7.4.15RC2
+
+* Tue Jan 5 2021 Remi Collet <remi@remirepo.net> - 7.4.14-1
+- Update to 7.4.14 - http://www.php.net/releases/7_4_14.php
+
+* Wed Dec 16 2020 Remi Collet <remi@remirepo.net> - 7.4.14~RC1-1
+- update to 7.4.14RC1
+
+* Tue Dec 1 2020 Remi Collet <remi@remirepo.net> - 7.4.13-2
+- explicitly requires make
+ https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot
+
+* Tue Nov 24 2020 Remi Collet <remi@remirepo.net> - 7.4.13-1
+- Update to 7.4.13 - http://www.php.net/releases/7_4_13.php
+
+* Thu Nov 12 2020 Remi Collet <remi@remirepo.net> - 7.4.13~RC1-1
+- update to 7.4.13RC1
+
+* Tue Oct 27 2020 Remi Collet <remi@remirepo.net> - 7.4.12-1
+- Update to 7.4.12 - http://www.php.net/releases/7_4_12.php
+
+* Tue Oct 13 2020 Remi Collet <remi@remirepo.net> - 7.4.12~RC1-1
+- update to 7.4.12RC1
+
+* Tue Sep 29 2020 Remi Collet <remi@remirepo.net> - 7.4.11-1
+- Update to 7.4.11 - http://www.php.net/releases/7_4_11.php
+
+* Tue Sep 15 2020 Remi Collet <remi@remirepo.net> - 7.4.11~RC1-1
+- update to 7.4.11RC1
+
+* Thu Sep 03 2020 Josef Řídký <jridky@redhat.com> - 7.4.10-2
+- Rebuilt for new net-snmp release
+
+* Tue Sep 1 2020 Remi Collet <remi@remirepo.net> - 7.4.10-1
+- Update to 7.4.10 - http://www.php.net/releases/7_4_10.php
+
+* Thu Aug 27 2020 Josef Řídký <jridky@redhat.com> - 7.4.10~RC1-2
+- Rebuilt for new net-snmp release
+
+* Tue Aug 18 2020 Remi Collet <remi@remirepo.net> - 7.4.10~RC1-1
+- update to 7.4.10RC1
+
+* Mon Aug 10 2020 Remi Collet <remi@remirepo.net> - 7.4.9-1
+- Update to 7.4.9 - http://www.php.net/releases/7_4_9.php
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.4.9~RC1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 21 2020 Remi Collet <remi@remirepo.net> - 7.4.9~RC1-1
+- update to 7.4.9RC1
+
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 7.4.8-3
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Thu Jul 9 2020 Remi Collet <remi@remirepo.net> - 7.4.8-2
+- Update to 7.4.8 - http://www.php.net/releases/7_4_8.php
+ rebuild from new sources
+
+* Tue Jul 7 2020 Remi Collet <remi@remirepo.net> - 7.4.8-1
+- Update to 7.4.8 - http://www.php.net/releases/7_4_8.php
+
+* Mon Jul 6 2020 Remi Collet <remi@remirepo.net> - 7.4.8~RC1-3
+- display build system and provider in phpinfo (from 8.0)
+
+* Wed Jul 01 2020 Jeff Law <law@redhat.com> - 7.4.8~RC1-2
+- Disable LTO
+
+* Tue Jun 23 2020 Remi Collet <remi@remirepo.net> - 7.4.8~RC1-1
+- update to 7.4.8RC1
+- drop patch to fix PHP_UNAME
+
+* Tue Jun 16 2020 Remi Collet <remi@remirepo.net> - 7.4.7-2
+- disable build of mod_php
+ https://fedoraproject.org/wiki/Changes/drop_mod_php
+
+* Tue Jun 9 2020 Remi Collet <remi@remirepo.net> - 7.4.7-1
+- Update to 7.4.7 - http://www.php.net/releases/7_4_7.php
+
+* Mon Jun 8 2020 Remi Collet <remi@remirepo.net> - 7.4.7~RC1-4
+- rewrite conditional using bcond_with and bcond_without
+
+* Tue May 26 2020 Remi Collet <remi@remirepo.net> - 7.4.7~RC1-1
+- update to 7.4.7RC1
+
+* Wed May 20 2020 Remi Collet <remi@remirepo.net> - 7.4.6-3
+- use php-config from embed SAPI to reduce used libs
+
+* Sat May 16 2020 Pete Walter <pwalter@fedoraproject.org> - 7.4.6-2
+- Rebuild for ICU 67
+
+* Tue May 12 2020 Remi Collet <remi@remirepo.net> - 7.4.6-1
+- Update to 7.4.6 - http://www.php.net/releases/7_4_6.php
+
+* Wed Apr 29 2020 Remi Collet <remi@remirepo.net> - 7.4.6~RC1-1
+- update to 7.4.6RC1
+
+* Tue Apr 21 2020 Remi Collet <remi@fedoraproject.org> - 7.4.5-2
+- make mod_php optional (enabled by default for now)
+- drop mod_php ZTS build
+- run FPM tests
+
+* Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 7.4.5-1
+- Update to 7.4.5 - http://www.php.net/releases/7_4_5.php
+
+* Tue Mar 31 2020 Remi Collet <remi@remirepo.net> - 7.4.5~RC1-1
+- update to 7.4.5RC1
+
+* Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 7.4.4-1
+- Update to 7.4.4 - http://www.php.net/releases/7_4_4.php
+
+* Tue Mar 3 2020 Remi Collet <remi@remirepo.net> - 7.4.4~RC1-1
+- update to 7.4.4RC1
+
+* Tue Feb 18 2020 Remi Collet <remi@remirepo.net> - 7.4.3-1
+- Update to 7.4.3 - http://www.php.net/releases/7_4_3.php
+
+* Tue Feb 4 2020 Remi Collet <remi@remirepo.net> - 7.4.3~RC1-1
+- update to 7.4.3RC1
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.4.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Jan 21 2020 Remi Collet <remi@remirepo.net> - 7.4.2-1
+- Update to 7.4.2 - http://www.php.net/releases/7_4_2.php
+
+* Tue Jan 7 2020 Remi Collet <remi@remirepo.net> - 7.4.2~RC1-1
+- update to 7.4.2RC1
+
+* Wed Dec 18 2019 Remi Collet <remi@remirepo.net> - 7.4.1-1
+- Update to 7.4.1 - http://www.php.net/releases/7_4_1.php
+
+* Wed Dec 11 2019 Remi Collet <remi@remirepo.net> - 7.4.1~RC1-1
+- update to 7.4.1RC1
+
+* Wed Nov 27 2019 Remi Collet <remi@remirepo.net> - 7.4.0-1
+- update to 7.4.0 GA
+
+* Mon Nov 11 2019 Remi Collet <remi@remirepo.net> - 7.4.0~RC6-1
+- update to 7.4.0RC6
+
+* Fri Nov 01 2019 Pete Walter <pwalter@fedoraproject.org> - 7.4.0~RC5-2
+- Rebuild for ICU 65
+
+* Tue Oct 29 2019 Remi Collet <remi@remirepo.net> - 7.4.0~RC5-1
+- update to 7.4.0RC5
+- set opcache.enable_cli in provided default configuration
+- add /usr/share/php/preload as default ffi.preload configuration
+
+* Tue Oct 15 2019 Remi Collet <remi@remirepo.net> - 7.4.0~RC4-1
+- update to 7.4.0RC4
+
+* Mon Oct 7 2019 Remi Collet <remi@remirepo.net> - 7.4.0~RC3-2
+- ensure all shared extensions can be loaded
+- add patch from https://github.com/php/php-src/pull/4794
+ to ensure opcache is always linked with librt
+
+* Tue Oct 1 2019 Remi Collet <remi@remirepo.net> - 7.4.0~RC3-1
+- update to 7.4.0RC3
+- bump API version to 20190902
+- drop wddx, recode and interbase extensions
+- add ffi extension
+- drop dependency on libargon2, use libsodium implementation
+- run test suite using 4 concurrent workers
+- cleanup unused conditional
+- add upstream patch to fix aarch64 build
+
+* Tue Sep 24 2019 Remi Collet <remi@remirepo.net> - 7.3.10-1
+- Update to 7.3.10 - http://www.php.net/releases/7_3_10.php
+
+* Wed Sep 11 2019 Remi Collet <remi@remirepo.net> - 7.3.10~RC1-2
+- update to 7.3.10RC1 (new tag)
+
+* Tue Sep 10 2019 Remi Collet <remi@remirepo.net> - 7.3.10~RC1-1
+- update to 7.3.10RC1
+
+* Wed Aug 28 2019 Remi Collet <remi@remirepo.net> - 7.3.9-1
+- Update to 7.3.9 - http://www.php.net/releases/7_3_9.php
+- add tarball signature check
+
+* Tue Aug 20 2019 Petr Pisar <ppisar@redhat.com> - 7.3.9~RC1-2
+- Rebuild against recode-3.7.2 (bug #1379055)
+
+* Mon Aug 19 2019 Remi Collet <remi@remirepo.net> - 7.3.9~RC1-1
+- update to 7.3.9RC1
+
+* Tue Jul 30 2019 Remi Collet <remi@remirepo.net> - 7.3.8-1
+- Update to 7.3.8 - http://www.php.net/releases/7_3_8.php
+
+* Tue Jul 16 2019 Remi Collet <remi@remirepo.net> - 7.3.8~RC1-1
+- update to 7.3.8RC1
+- add upstream patch for #78297
+- main package now recommends commonly used extensions
+ (json, mbstring, opcache, pdo, xml)
+
+* Wed Jul 3 2019 Remi Collet <remi@remirepo.net> - 7.3.7-2
+- Update to 7.3.7 - http://www.php.net/releases/7_3_7.php
+- disable opcache.huge_code_pages in default configuration
+
+* Thu Jun 20 2019 Remi Collet <remi@remirepo.net> - 7.3.7~RC3-1
+- update to 7.3.7RC3
+
+* Tue Jun 18 2019 Remi Collet <remi@remirepo.net> - 7.3.7~RC2-1
+- update to 7.3.7RC2
+
+* Tue Jun 11 2019 Remi Collet <remi@remirepo.net> - 7.3.7~RC1-1
+- update to 7.3.7RC1
+
+* Tue May 28 2019 Remi Collet <remi@remirepo.net> - 7.3.6-1
+- Update to 7.3.6 - http://www.php.net/releases/7_3_6.php
+
+* Wed May 15 2019 Remi Collet <remi@remirepo.net> - 7.3.6~RC1-2
+- update to 7.3.6RC1 (new tag)
+
+* Tue May 14 2019 Remi Collet <remi@remirepo.net> - 7.3.6~RC1-1
+- update to 7.3.6RC1
+
+* Wed May 1 2019 Remi Collet <remi@remirepo.net> - 7.3.5-1
+- Update to 7.3.5 - http://www.php.net/releases/7_3_5.php
+
+* Tue Apr 16 2019 Remi Collet <remi@remirepo.net> - 7.3.5~RC1-1
+- update to 7.3.5RC1
+
+* Tue Apr 2 2019 Remi Collet <remi@remirepo.net> - 7.3.4-1
+- Update to 7.3.4 - http://www.php.net/releases/7_3_4.php
+
+* Thu Mar 21 2019 Remi Collet <remi@remirepo.net> - 7.3.4~RC1-3
+- update to 7.3.4RC1 new tag
+- add upstream patches for failed tests
+- add build dependency on ps command
+
+* Wed Mar 20 2019 Remi Collet <remi@remirepo.net> - 7.3.4~RC1-2
+- revert upstream change for extension test suite
+
+* Tue Mar 19 2019 Remi Collet <remi@remirepo.net> - 7.3.4~RC1-1
+- update to 7.3.4RC1
+
+* Mon Mar 18 2019 Remi Collet <remi@fedoraproject.org> - 7.3.3-2
+- rebuild for libargon2 new soname
+
+* Wed Mar 6 2019 Remi Collet <remi@remirepo.net> - 7.3.3-1
+- Update to 7.3.3 - http://www.php.net/releases/7_3_3.php
+- add upstream patch for OpenSSL 1.1.1b
+
+* Tue Feb 19 2019 Remi Collet <remi@remirepo.net> - 7.3.3~RC1-1
+- update to 7.3.3RC1
+- adapt systzdata patch (v18)
+
+* Wed Feb 6 2019 Remi Collet <remi@remirepo.net> - 7.3.2-1
+- Update to 7.3.2 - http://www.php.net/releases/7_3_2.php
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.3.2~RC1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jan 23 2019 Pete Walter <pwalter@fedoraproject.org> - 7.3.2~RC1-2
+- Rebuild for ICU 63
+
+* Tue Jan 22 2019 Remi Collet <remi@remirepo.net> - 7.3.2~RC1-1
+- update to 7.3.2RC1
+- update system tzdata patch for timelib 2018.01
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 7.3.1-2
+- Rebuilt for libcrypt.so.2 (#1666033)
+
+* Tue Jan 8 2019 Remi Collet <remi@remirepo.net> - 7.3.1-1
+- Update to 7.3.1 - http://www.php.net/releases/7_3_1.php
+
+* Tue Dec 18 2018 Remi Collet <remi@remirepo.net> - 7.3.1-0.1.RC1
+- update to 7.3.1RC1
+
+* Tue Dec 4 2018 Remi Collet <remi@remirepo.net> - 7.3.0-1
+- update to 7.3.0 GA
+- update FPM configuration from upstream
+
+* Tue Nov 20 2018 Remi Collet <remi@remirepo.net> - 7.3.0~0.3.RC5
+- update to 7.3.0RC6
+
+* Tue Nov 6 2018 Remi Collet <remi@remirepo.net> - 7.3.0~0.2.RC5
+- update to 7.3.0RC5
+
+* Fri Nov 2 2018 Remi Collet <remi@remirepo.net> - 7.3.0-0.1.RC4
+- rebuild
+
+* Tue Oct 23 2018 Remi Collet <remi@remirepo.net> - 7.3.0~rc4-1
+- update to 7.3.0RC4
+
+* Tue Oct 9 2018 Remi Collet <remi@remirepo.net> - 7.3.0~rc3-1
+- update to 7.3.0RC3
+
+* Thu Oct 4 2018 Remi Collet <remi@remirepo.net> - 7.3.0~rc2-1
+- update to 7.3.0RC2
+- bump API numbers
+- switch from libpcre to libpcre2
+- temporarily disable pcre jit on s390x see https://bugzilla.redhat.com/1636032
+
+* Wed Sep 26 2018 Remi Collet <remi@remirepo.net> - 7.2.11~RC1-1
+- update to 7.2.11RC1
+
+* Tue Sep 11 2018 Remi Collet <remi@remirepo.net> - 7.2.10-1
+- Update to 7.2.10 - http://www.php.net/releases/7_2_10.php
+
+* Tue Aug 28 2018 Remi Collet <remi@remirepo.net> - 7.2.10~RC1-1
+- update to 7.2.10RC1
+
+* Thu Aug 16 2018 Remi Collet <remi@remirepo.net> - 7.2.9-1
+- Update to 7.2.9 - http://www.php.net/releases/7_2_9.php
+
+* Tue Jul 24 2018 Adam Williamson <awilliam@redhat.com> - 7.2.8-2
+- Rebuild for new net-snmp
+
+* Tue Jul 17 2018 Remi Collet <remi@remirepo.net> - 7.2.8-1
+- Update to 7.2.8 - http://www.php.net/releases/7_2_8.php
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.2.8~RC1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jul 10 2018 Pete Walter <pwalter@fedoraproject.org> - 7.2.8~RC1-3
+- Rebuild for ICU 62
+
+* Tue Jul 3 2018 Remi Collet <remi@remirepo.net> - 7.2.8~RC1-2
+- FPM: add getallheaders, backported from 7.3
+
+* Tue Jul 3 2018 Remi Collet <remi@remirepo.net> - 7.2.8~RC1-1
+- update to 7.2.8RC1
+
+* Wed Jun 20 2018 Remi Collet <remi@remirepo.net> - 7.2.7-1
+- Update to 7.2.7 - http://www.php.net/releases/7_2_7.php
+- drop -mstackrealign option, workaround to #1593144
+
+* Wed Jun 6 2018 Remi Collet <remi@remirepo.net> - 7.2.7~RC1-1
+- update to 7.2.7RC1
+
+* Wed May 23 2018 Remi Collet <remi@remirepo.net> - 7.2.6-1
+- Update to 7.2.6 - http://www.php.net/releases/7_2_6.php
+
+* Sun May 13 2018 Remi Collet <remi@remirepo.net> - 7.2.6~RC1-1
+- update to 7.2.6RC1
+
+* Mon Apr 30 2018 Pete Walter <pwalter@fedoraproject.org> - 7.2.5-2
+- Rebuild for ICU 61.1
+
+* Tue Apr 24 2018 Remi Collet <remi@remirepo.net> - 7.2.5-1
+- Update to 7.2.5 - http://www.php.net/releases/7_2_5.php
+
+* Wed Apr 11 2018 Remi Collet <remi@remirepo.net> - 7.2.5~RC1-1
+- update to 7.2.5RC1
+
+* Tue Apr 3 2018 Remi Collet <remi@remirepo.net> - 7.2.4-2
+- add upstream patch for oniguruma 6.8.1, FTBFS #1562583
+
+* Sun Apr 01 2018 Mamoru TASAKA <mtasaka@fedoraproject.org> - 7.2.4-2
+- Rebuild against oniguruma 6.8.1
+
+* Tue Mar 27 2018 Remi Collet <remi@remirepo.net> - 7.2.4-1
+- Update to 7.2.4 - http://www.php.net/releases/7_2_4.php
+- FPM: update default pool configuration for process.dumpable
+
+* Wed Mar 21 2018 Remi Collet <remi@remirepo.net> - 7.2.4~RC1-3
+- use systemd RuntimeDirectory instead of /etc/tmpfiles.d
+
+* Thu Mar 15 2018 Remi Collet <remi@remirepo.net> - 7.2.4~RC1-2
+- add file trigger to restart the php-fpm service
+ when new pool or new extension installed #1556762
+
+* Tue Mar 13 2018 Remi Collet <remi@remirepo.net> - 7.2.4~RC1-1
+- update to 7.2.4RC1
+
+* Wed Feb 28 2018 Remi Collet <remi@remirepo.net> - 7.2.3-1
+- Update to 7.2.3 - http://www.php.net/releases/7_2_3.php
+- FPM: revert pid file removal
+
+* Wed Feb 21 2018 Remi Collet <remi@remirepo.net> - 7.2.3~RC1-4
+- disable ZTS on RHEL
+
+* Fri Feb 16 2018 Remi Collet <remi@remirepo.net> - 7.2.3~RC1-3
+- disable pspell extension on RHEL
+- improve devel dependencies
+
+* Wed Feb 14 2018 Remi Collet <remi@remirepo.net> - 7.2.3~RC1-2
+- rebuild for new tag and drop patch merged upstream
+- drop ldconfig scriptlets
+
+* Wed Feb 14 2018 Remi Collet <remi@remirepo.net> - 7.2.3~RC1-1
+- update to 7.2.3RC1
+- adapt systzdata, fixheader and ldap_r patches
+- apply upstream patch for date ext
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.2.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Tue Jan 30 2018 Remi Collet <remi@remirepo.net> - 7.2.2-1
+- Update to 7.2.2 - http://www.php.net/releases/7_2_2.php
+
+* Mon Jan 29 2018 Remi Collet <rcollet@redhat.com> - 7.2.2~RC1-3
+- disable interbase, imap, pdo_dblib and sodium on rhel
+
+* Thu Jan 25 2018 Remi Collet <remi@remirepo.net> - 7.2.2~RC1-3
+- undefine _strict_symbol_defs_build
+
+* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 7.2.2~RC1-2
+- Rebuilt for switch to libxcrypt
+
+* Tue Jan 16 2018 Remi Collet <remi@remirepo.net> - 7.2.2~RC1-1
+- update to 7.2.2RC1
+- define SOURCE_DATE_EPOCH for reproducible build
+
+* Wed Jan 3 2018 Remi Collet <remi@remirepo.net> - 7.2.1-1
+- Update to 7.2.1 - http://www.php.net/releases/7_2_1.php
+
+* Wed Dec 13 2017 Remi Collet <remi@remirepo.net> - 7.2.1~RC1-1
+- update to 7.2.1RC1
+
+* Thu Nov 30 2017 Pete Walter <pwalter@fedoraproject.org> - 7.2.0-3
+- Rebuild for ICU 60.1
+
+* Tue Nov 28 2017 Remi Collet <remi@remirepo.net> - 7.2.0-2
+- refresh patch for https://bugs.php.net/75514
+
+* Tue Nov 28 2017 Remi Collet <remi@remirepo.net> - 7.2.0-1
+- update to 7.2.0 GA
+- add upstream patch for https://bugs.php.net/75514
+
+* Tue Nov 7 2017 Remi Collet <remi@fedoraproject.org> - 7.2.0~RC6-1
+- Update to 7.2.0RC6
+
+* Wed Oct 25 2017 Remi Collet <remi@fedoraproject.org> - 7.2.0~RC5-1
+- Update to 7.2.0RC5
+- make php-fpm a weak dependency
+
+* Wed Oct 18 2017 Remi Collet <remi@remirepo.net> - 7.2.0~RC4-2
+- enable argon2 password hash
+
+* Tue Oct 10 2017 Remi Collet <remi@fedoraproject.org> - 7.2.0~RC4-1
+- Update to 7.2.0RC4
+
+* Fri Sep 29 2017 Remi Collet <remi@fedoraproject.org> - 7.2.0~RC3-1
+- Update to 7.2.0RC3
+- drop mcrypt extension
+- add sodium extension
+- use system oniguruma
+- drop .so suffix from ini files
+- refresh configuration files from upstream
+
+* Wed Sep 27 2017 Remi Collet <remi@fedoraproject.org> - 7.1.10-1
+- Update to 7.1.10 - http://www.php.net/releases/7_1_10.php
+
+* Mon Sep 25 2017 Remi Collet <remi@fedoraproject.org> - 7.1.10~RC1-2
+- php now requires php-fpm and start it with httpd / nginx
+
+* Wed Sep 13 2017 Remi Collet <remi@fedoraproject.org> - 7.1.10~RC1-1
+- Update to 7.1.10RC1
+
+* Wed Sep 6 2017 Remi Collet <remi@fedoraproject.org> - 7.1.9-2
+- Automatically load OpenSSL configuration file, from PHP 7.2
+
+* Wed Aug 30 2017 Remi Collet <remi@fedoraproject.org> - 7.1.9-1
+- Update to 7.1.9 - http://www.php.net/releases/7_1_9.php
+
+* Wed Aug 16 2017 Remi Collet <remi@fedoraproject.org> - 7.1.9~RC1-1
+- Update to 7.1.9RC1
+- php-fpm: drop unneeded "pid" from default configuration
+
+* Wed Aug 2 2017 Remi Collet <remi@fedoraproject.org> - 7.1.8-1
+- Update to 7.1.8 - http://www.php.net/releases/7_1_8.php
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.1.8~RC1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Jul 19 2017 Remi Collet <remi@fedoraproject.org> - 7.1.8~RC1-1
+- Update to 7.1.8RC1
+
+* Tue Jul 18 2017 Remi Collet <remi@fedoraproject.org> - 7.1.7-2
+- disable httpd MPM check
+
+* Thu Jul 6 2017 Remi Collet <remi@fedoraproject.org> - 7.1.7-1
+- Update to 7.1.7 - http://www.php.net/releases/7_1_7.php
+
+* Wed Jun 21 2017 Remi Collet <remi@fedoraproject.org> - 7.1.7~RC1-1
+- Update to 7.1.7RC1
+
+* Wed Jun 7 2017 Remi Collet <remi@fedoraproject.org> - 7.1.6-1
+- Update to 7.1.6 - http://www.php.net/releases/7_1_6.php
+- add upstream security patches for oniguruma
+
+* Wed May 24 2017 Remi Collet <remi@fedoraproject.org> - 7.1.6~RC1-1
+- Update to 7.1.6RC1
+
+* Tue May 9 2017 Remi Collet <remi@fedoraproject.org> - 7.1.5-1
+- Update to 7.1.5 - http://www.php.net/releases/7_1_5.php
+
+* Sat May 6 2017 Remi Collet <remi@fedoraproject.org> - 7.1.5-0.3.RC1
+- enable PHP execution of .phar files, see #1117140
+
+* Thu Apr 27 2017 Remi Collet <remi@fedoraproject.org> - 7.1.5-0.2.RC1
+- new sources from new tag
+
+* Tue Apr 25 2017 Remi Collet <remi@fedoraproject.org> - 7.1.5-0.1.RC1
+- Update to 7.1.5RC1
+
+* Tue Apr 11 2017 Remi Collet <remi@fedoraproject.org> - 7.1.4-1
+- Update to 7.1.4 - http://www.php.net/releases/7_1_4.php
+
+* Wed Mar 29 2017 Remi Collet <remi@fedoraproject.org> - 7.1.4-0.1.RC1
+- Update to 7.1.4RC1
+
+* Wed Mar 22 2017 Remi Collet <remi@fedoraproject.org> - 7.1.3-3
+- timelib is MIT license
+
+* Wed Mar 15 2017 Remi Collet <remi@fedoraproject.org> - 7.1.3-2
+- remove %%attr, see #1432372
+
+* Wed Mar 15 2017 Remi Collet <remi@fedoraproject.org> - 7.1.3-1
+- Update to 7.1.3 - http://www.php.net/releases/7_1_3.php
+
+* Tue Feb 28 2017 Remi Collet <remi@fedoraproject.org> 7.1.3-0.1.RC1
+- Update to 7.1.3RC1
+
+* Wed Feb 15 2017 Remi Collet <remi@fedoraproject.org> - 7.1.2-1
+- Update to 7.1.2 - http://www.php.net/releases/7_1_2.php
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.1.2-0.2.RC1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Feb 2 2017 Remi Collet <remi@fedoraproject.org> - 7.1.2-0.2.RC1
+- Update to 7.1.2RC1 (new sources)
+
+* Wed Feb 1 2017 Remi Collet <remi@fedoraproject.org> 7.1.2-0.1.RC1
+- Update to 7.1.2RC1
+
+* Wed Jan 18 2017 Remi Collet <remi@fedoraproject.org> 7.1.1-1
+- Update to 7.1.1 - http://www.php.net/releases/7_1_1.php
+
+* Fri Jan 6 2017 Remi Collet <remi@fedoraproject.org> 7.1.1-0.1.RC1
+- Update to 7.1.1RC1
+
+* Thu Dec 1 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-1
+- Update to 7.1.0 - http://www.php.net/releases/7_1_0.php
+
+* Fri Nov 25 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.3.RC6
+- disable pcre.jit everywhere as it raise AVC #1398474
+- sync provided configuration with upstream production defaults
+
+* Mon Nov 14 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.2.RC6
+- re-enable interbase sub package
+ see http://bugzilla.redhat.com/1394750 sub package inconsistency
+- add patch to fix firebird include path (using fb_config)
+
+* Mon Nov 14 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.1.RC6
+- Update to 7.1.0RC6
+- update tzdata patch to v14, improve check for valid tz file
+- disable interbase sub package (interbase and pdo_firebird)
+
+* Tue Oct 11 2016 Remi Collet <remi@fedoraproject.org> 7.1.0-0.1.RC3
+- Update to 7.1.0RC3
+
+* Wed Sep 28 2016 Remi Collet <remi@fedoraproject.org> 7.0.12-0.1.RC1
+- Update to 7.0.12RC1
+
+* Wed Sep 14 2016 Remi Collet <remi@fedoraproject.org> 7.0.11-1
+- Update to 7.0.11 - http://www.php.net/releases/7_0_11.php
+
+* Fri Sep 2 2016 Remi Collet <remi@fedoraproject.org> 7.0.11-0.1.RC1
+- Update to 7.0.11RC1
+
+* Thu Sep 1 2016 Remi Collet <remi@fedoraproject.org> 7.0.10-1
+- Update to 7.0.10 - http://www.php.net/releases/7_0_10.php
+
+* Wed Aug 3 2016 Remi Collet <remi@fedoraproject.org> 7.0.10-0.1.RC1
+- Update to 7.0.10RC1
+
+* Wed Jul 20 2016 Remi Collet <remi@fedoraproject.org> 7.0.9-1
+- Update to 7.0.9 - http://www.php.net/releases/7_0_9.php
+- wddx: add upstream patch for https://bugs.php.net/72564
+
+* Wed Jul 6 2016 Remi Collet <remi@fedoraproject.org> 7.0.9-0.1.RC1
+- Update to 7.0.9RC1
+
+* Thu Jun 30 2016 Remi Collet <remi@fedoraproject.org> 7.0.8-2
+- own tests/doc directories for pecl packages #1351345
+
+* Wed Jun 22 2016 Remi Collet <remi@fedoraproject.org> 7.0.8-1
+- Update to 7.0.8 - http://www.php.net/releases/7_0_8.php
+- https://fedoraproject.org/wiki/Changes/php70
+- drop ereg, mysql, mssql extensions
+- add json extension
+
+* Wed Jun 22 2016 Remi Collet <remi@fedoraproject.org> 5.6.23-1
+- Update to 5.6.23 - http://www.php.net/releases/5_6_23.php
+
+* Thu Jun 9 2016 Remi Collet <remi@fedoraproject.org> 5.6.23-0.1.RC1
+- update to 5.6.23RC1
+
+* Fri May 27 2016 Remi Collet <remi@fedoraproject.org> 5.6.22-2
+- drop unneeded option --with-vpx-dir, fix FTBFS, thanks Koschei
+
+* Thu May 26 2016 Remi Collet <remi@fedoraproject.org> 5.6.22-1
+- Update to 5.6.22 - http://www.php.net/releases/5_6_22.php
+
+* Thu May 12 2016 Remi Collet <remi@fedoraproject.org> 5.6.22-0.1.RC1
+- update to 5.6.22RC1
+
+* Thu Apr 28 2016 Remi Collet <remi@fedoraproject.org> 5.6.21-1
+- Update to 5.6.21
+ http://www.php.net/releases/5_6_21.php
+
+* Mon Apr 18 2016 Remi Collet <remi@fedoraproject.org> 5.6.21-0.2.RC1
+- rebuild for ICU 57.1
+
+* Mon Apr 18 2016 Remi Collet <remi@fedoraproject.org> 5.6.21-0.1.RC1
+- update to 5.6.21RC1
+
+* Fri Apr 15 2016 David Tardon <dtardon@redhat.com> - 5.6.20-1.1
+- rebuild for ICU 57.1
+
+* Thu Mar 31 2016 Remi Collet <remi@fedoraproject.org> 5.6.20-1
+- Update to 5.6.20
+ http://www.php.net/releases/5_6_20.php
+
+* Thu Mar 17 2016 Remi Collet <remi@fedoraproject.org> 5.6.20-0.1.RC1
+- update to 5.6.20RC1
+
+* Thu Mar 3 2016 Remi Collet <remi@fedoraproject.org> 5.6.19-1
+- Update to 5.6.19
+ http://www.php.net/releases/5_6_19.php
+
+* Thu Feb 18 2016 Remi Collet <remi@fedoraproject.org> 5.6.19-0.1.RC1
+- update to 5.6.19RC1
+
+* Tue Feb 9 2016 Remi Collet <remi@fedoraproject.org> 5.6.18-2
+- define %%pecl_xmldir and own it (/var/lib/php/peclxml)
+
+* Wed Feb 3 2016 Remi Collet <remi@fedoraproject.org> 5.6.18-1
+- Update to 5.6.18
+ http://www.php.net/releases/5_6_18.php
+
+* Thu Jan 21 2016 Remi Collet <remi@fedoraproject.org> 5.6.18-0.1.RC1
+- update to 5.6.18RC1
+
+* Thu Jan 7 2016 Remi Collet <remi@fedoraproject.org> 5.6.17-1
+- Update to 5.6.17
+ http://www.php.net/releases/5_6_17.php
+
+* Thu Dec 10 2015 Remi Collet <remi@fedoraproject.org> 5.6.17-0.1.RC1
+- update to 5.6.17RC1
+
+* Tue Dec 1 2015 Tom Callaway <spot@fedoraproject.org> 5.6.16-2
+- rebuild for libvpx 1.5.0
+
+* Thu Nov 26 2015 Remi Collet <remi@fedoraproject.org> 5.6.16-1
+- Update to 5.6.16
+ http://www.php.net/releases/5_6_16.php
+
+* Wed Nov 18 2015 Rex Dieter <rdieter@fedoraproject.org> 5.6.16-0.2.RC2
+- rebuild (tidy)
+
+* Thu Nov 12 2015 Remi Collet <remi@fedoraproject.org> 5.6.16-0.1.RC1
+- update to 5.6.16RC1
+
+* Thu Oct 29 2015 Remi Collet <remi@fedoraproject.org> 5.6.15-1
+- Update to 5.6.15
+ http://www.php.net/releases/5_6_15.php
+- php-config: reports all built sapis
+
+* Thu Oct 15 2015 Remi Collet <remi@fedoraproject.org> 5.6.15-0.1.RC1
+- update to 5.6.15RC1
+
+* Wed Sep 30 2015 Remi Collet <remi@fedoraproject.org> 5.6.14-1
+- Update to 5.6.14
+ http://www.php.net/releases/5_6_14.php
+- php-fpm: enable http authorization headers
+
+* Thu Sep 17 2015 Remi Collet <remi@fedoraproject.org> 5.6.14-0.1.RC1
+- update to 5.6.14RC1
+
+* Thu Sep 3 2015 Remi Collet <remi@fedoraproject.org> 5.6.13-1
+- Update to 5.6.13
+ http://www.php.net/releases/5_6_13.php
+
+* Thu Aug 6 2015 Remi Collet <remi@fedoraproject.org> 5.6.12-1
+- Update to 5.6.12
+ http://www.php.net/releases/5_6_12.php
+
+* Fri Jul 24 2015 Remi Collet <remi@fedoraproject.org> 5.6.12-0.1.RC1
+- update to 5.6.12RC1
+
+* Fri Jul 17 2015 Remi Collet <remi@fedoraproject.org> 5.6.11-2
+- fix typo in php.conf #1244104
+
+* Sun Jul 12 2015 Remi Collet <remi@fedoraproject.org> 5.6.11-1
+- Update to 5.6.11
+ http://www.php.net/releases/5_6_11.php
+
+* Thu Jun 25 2015 Remi Collet <remi@fedoraproject.org> 5.6.11-0.1.RC1
+- update to 5.6.11RC1
+- the phar link is now correctly created
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.6.10-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Thu Jun 11 2015 Remi Collet <remi@fedoraproject.org> 5.6.10-1
+- Update to 5.6.10
+ http://www.php.net/releases/5_6_10.php
+- add explicit spec license (implicit by FPCA)
+
+* Thu May 28 2015 Remi Collet <remi@fedoraproject.org> 5.6.10-0.1.RC1
+- update to 5.6.10RC1
+- opcache is now 7.0.6-dev
+
+* Fri May 15 2015 Remi Collet <remi@fedoraproject.org> 5.6.9-1
+- Update to 5.6.9
+ http://www.php.net/releases/5_6_9.php
+
+* Thu Apr 30 2015 Remi Collet <remi@fedoraproject.org> 5.6.9-0.1.RC1
+- update to 5.6.9RC1
+- adapt systzdata patch for upstream changes for new zic
+
+* Thu Apr 16 2015 Remi Collet <remi@fedoraproject.org> 5.6.8-1
+- Update to 5.6.8
+ http://www.php.net/releases/5_6_8.php
+
+* Fri Apr 10 2015 Remi Collet <remi@fedoraproject.org> 5.6.8-0.3.RC1
+- add upstream patch to drop SSLv3 tests
+
+* Mon Apr 6 2015 Tom Callaway <spot@fedoraproject.org> - 5.6.8-0.2.RC1
+- rebuild for libvpx 1.4.0
+
+* Wed Apr 1 2015 Remi Collet <remi@fedoraproject.org> 5.6.8-0.1.RC1
+- update to 5.6.8RC1
+
+* Fri Mar 20 2015 Remi Collet <remi@fedoraproject.org> 5.6.7-2
+- Update to 5.6.7
+ http://www.php.net/releases/5_6_7.php
+
+* Sun Mar 8 2015 Remi Collet <remi@fedoraproject.org> 5.6.7-1
+- update to 5.6.7RC1
+
+* Thu Feb 19 2015 Remi Collet <remi@fedoraproject.org> 5.6.6-1
+- Update to 5.6.6
+ http://www.php.net/releases/5_6_6.php
+
+* Thu Feb 5 2015 Remi Collet <rcollet@redhat.com> 5.6.6-0.1.RC1
+- php 5.6.6RC1 for Koschei
+
+* Mon Jan 26 2015 David Tardon <dtardon@redhat.com> - 5.6.5-2
+- rebuild for ICU 54.1
+
+* Thu Jan 22 2015 Remi Collet <remi@fedoraproject.org> 5.6.5-1
+- Update to 5.6.5
+ http://www.php.net/releases/5_6_5.php
+- drop deprecated php-fpm EnvironmentFile
+
+* Fri Jan 9 2015 Remi Collet <remi@fedoraproject.org> 5.6.5-0.1.RC1
+- update to 5.6.5RC1
+- FPM: enable ACL support for Unix Domain Socket
+- FPM: switch default configuration to use UDS
+
+* Wed Dec 17 2014 Remi Collet <remi@fedoraproject.org> 5.6.4-2
+- Update to 5.6.4 (real)
+ http://www.php.net/releases/5_6_4.php
+- php-xmlrpc requires php-xml
+
+* Wed Dec 10 2014 Remi Collet <remi@fedoraproject.org> 5.6.4-1
+- Update to 5.6.4
+ http://www.php.net/releases/5_6_4.php
+
+* Fri Nov 28 2014 Remi Collet <rcollet@redhat.com> 5.6.4-0.1.RC1
+- php 5.6.4RC1
+
+* Mon Nov 17 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-4
+- FPM: add upstream patch for https://bugs.php.net/68428
+ listen.allowed_clients is IPv4 only
+
+* Mon Nov 17 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-3
+- sync php-fpm configuration with upstream
+- refresh upstream patch for 68421
+
+* Sun Nov 16 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-2
+- FPM: add upstream patch for https://bugs.php.net/68421
+ access.format=R doesn't log ipv6 address
+- FPM: add upstream patch for https://bugs.php.net/68420
+ listen=9000 listens to ipv6 localhost instead of all addresses
+- FPM: add upstream patch for https://bugs.php.net/68423
+ will no longer load all pools
+
+* Thu Nov 13 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-1
+- Update to PHP 5.6.3
+ http://php.net/releases/5_6_3.php
+
+* Fri Oct 31 2014 Remi Collet <rcollet@redhat.com> 5.6.3-0.2.RC1
+- php 5.6.3RC1 (refreshed, phpdbg changes reverted)
+- new version of systzdata patch, fix case sensitivity
+- ignore Factory in date tests
+
+* Wed Oct 29 2014 Remi Collet <rcollet@redhat.com> 5.6.3-0.1.RC1
+- php 5.6.3RC1
+- disable opcache.fast_shutdown in default config
+- enable phpdbg_webhelper new extension (in php-dbg)
+
+* Thu Oct 16 2014 Remi Collet <remi@fedoraproject.org> 5.6.1-1
+- Update to PHP 5.6.2
+ http://php.net/releases/5_6_2.php
+
+* Fri Oct 3 2014 Remi Collet <remi@fedoraproject.org> 5.6.1-1
+- Update to PHP 5.6.1
+ http://php.net/releases/5_6_1.php
+- use default system cipher list by Fedora policy
+ http://fedoraproject.org/wiki/Changes/CryptoPolicy
+
+* Wed Sep 24 2014 Remi Collet <rcollet@redhat.com> 5.6.1-0.2.RC1
+- provides nginx configuration (see #1142298)
+
+* Sat Sep 13 2014 Remi Collet <rcollet@redhat.com> 5.6.1-0.1.RC1
+- php 5.6.1RC1
+
+* Thu Aug 28 2014 Remi Collet <remi@fedoraproject.org> 5.6.0-1
+- PHP 5.6.0 is GA
+ http://php.net/releases/5_6_0.php
+- fix ZTS man pages, upstream patch for 67878
+- provides php(httpd)
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.6.0-0.7.RC4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Thu Aug 14 2014 Remi Collet <rcollet@redhat.com> 5.6.0-0.6.RC4
+- php 5.6.0RC4
+
+* Thu Jul 31 2014 Remi Collet <rcollet@redhat.com> 5.6.0-0.5.RC3
+- fpm requires httpd >= 2.4.10 for proxy support in SetHandler
+
+* Thu Jul 31 2014 Remi Collet <rcollet@redhat.com> 5.6.0-0.4.RC3
+- php 5.6.0RC3
+- cleanup with_libmysql
+- fix licenses handling
+- fix zts-php-config --php-binary output #1124605
+- provide php.conf with php-fpm, allow apache + fpm
+ to work with default configuration, without mod_php
+
+* Mon Jul 7 2014 Remi Collet <rcollet@redhat.com> 5.6.0-0.3.RC2
+- php 5.6.0RC2
+
+* Mon Jun 23 2014 Remi Collet <rcollet@redhat.com> 5.6.0-0.2.RC1
+- fix phpdbg with libedit https://bugs.php.net/67499
+- add workaround for unserialize/mock issue from 5.4/5.5
+
+* Thu Jun 19 2014 Remi Collet <rcollet@redhat.com> 5.6.0-0.1.RC1
+- php 5.6.0RC1
+ https://fedoraproject.org/wiki/Changes/Php56
+- add php-dbg subpackage
+- update php.ini and opcache.ini from upstream production template
+- move zts-php to php-cli
+
+* Thu Jun 5 2014 Remi Collet <rcollet@redhat.com> 5.5.13-3
+- fix regression introduce in fix for #67118
+
+* Tue Jun 3 2014 Remi Collet <remi@fedoraproject.org> 5.5.13-2
+- fileinfo: fix insufficient boundary check
+- workaround regression introduce in fix for 67072 in
+ serialize/unzerialize functions
+
+* Fri May 30 2014 Remi Collet <rcollet@redhat.com> 5.5.13-1
+- Update to 5.5.13
+ http://www.php.net/releases/5_5_13.php
+- sync php.ini with upstream php.ini-production
+
+* Sat May 3 2014 Remi Collet <rcollet@redhat.com> 5.5.12-1
+- Update to 5.5.12
+ http://www.php.net/releases/5_5_12.php
+- php-fpm: change default unix socket permission CVE-2014-0185
+
+* Wed Apr 23 2014 Remi Collet <rcollet@redhat.com> 5.5.11-2
+- add numerical prefix to extension configuration files
+- prevent .user.ini files from being viewed by Web clients
+- load php directives only when mod_php is active
+
+* Thu Apr 3 2014 Remi Collet <rcollet@redhat.com> 5.5.11-1
+- Update to 5.5.11
+ http://www.php.net/ChangeLog-5.php#5.5.11
+
+* Thu Mar 6 2014 Remi Collet <rcollet@redhat.com> 5.5.10-1
+- Update to 5.5.10
+ http://www.php.net/ChangeLog-5.php#5.5.10
+- php-fpm should own /var/lib/php/session and wsdlcache
+- fix pcre test results with libpcre < 8.34
+
+* Tue Feb 18 2014 Remi Collet <rcollet@redhat.com> 5.5.9-2
+- upstream patch for https://bugs.php.net/66731
+
+* Thu Feb 13 2014 Remi Collet <remi@fedoraproject.org> 5.5.9-1.1
+- rebuild
+
+* Tue Feb 11 2014 Remi Collet <remi@fedoraproject.org> 5.5.9-1
+- Update to 5.5.9
+ http://www.php.net/ChangeLog-5.php#5.5.9
+- Install macros to /usr/lib/rpm/macros.d
+
+* Thu Jan 23 2014 Joe Orton <jorton@redhat.com> - 5.5.8-2
+- fix _httpd_mmn expansion in absence of httpd-devel
+
+* Wed Jan 8 2014 Remi Collet <rcollet@redhat.com> 5.5.8-1
+- update to 5.5.8
+- drop conflicts with other opcode caches as both can
+ be used only for user data cache
+
+* Wed Dec 11 2013 Remi Collet <rcollet@redhat.com> 5.5.7-1
+- update to 5.5.7, fix for CVE-2013-6420
+- fix zend_register_functions breaks reflection, php bug 66218
+- fix Heap buffer over-read in DateInterval, php bug 66060
+- fix fix overflow handling bug in non-x86
+
+* Wed Nov 13 2013 Remi Collet <remi@fedoraproject.org> 5.5.6-1
+- update to 5.5.6
+
+* Thu Oct 17 2013 Remi Collet <rcollet@redhat.com> - 5.5.5-1
+- update to 5.5.5
+- sync php.ini with upstream
+
+* Thu Sep 19 2013 Remi Collet <rcollet@redhat.com> - 5.5.4-1
+- update to 5.5.4
+- improve security, use specific soap.wsdl_cache_dir
+ use /var/lib/php/wsdlcache for mod_php and php-fpm
+- sync short_tag comments in php.ini with upstream
+
+* Wed Aug 21 2013 Remi Collet <rcollet@redhat.com> - 5.5.3-1
+- update to 5.5.3
+- fix typo and add missing entries in php.ini
+- drop zip extension
+
+* Mon Aug 19 2013 Remi Collet <rcollet@redhat.com> - 5.5.2-1
+- update to 5.5.2, fixes for CVE-2011-4718 + CVE-2013-4248
+
+* Thu Aug 08 2013 Remi Collet <rcollet@redhat.com> - 5.5.1-3
+- improve system libzip patch
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.5.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Jul 22 2013 Remi Collet <rcollet@redhat.com> - 5.5.1-1
+- update to 5.5.1
+- add Provides: php(pdo-abi), for consistency with php(api)
+ and php(zend-abi)
+- improved description for mod_php
+- fix opcache ZTS configuration (blacklists in /etc/php-zts.d)
+- add missing man pages (phar, php-cgi)
+
+* Fri Jul 12 2013 Remi Collet <rcollet@redhat.com> - 5.5.0-2
+- add security fix for CVE-2013-4113
+- add missing ASL 1.0 license
+- 32k stack size seems ok for tests on both 32/64bits build
+
+* Thu Jun 20 2013 Remi Collet <rcollet@redhat.com> 5.5.0-1
+- update to 5.5.0 final
+
+* Fri Jun 14 2013 Remi Collet <rcollet@redhat.com> 5.5.0-0.11.RC3
+- also drop JSON from sources
+- clean conditional for JSON (as removed from the sources)
+- clean conditional for FPM (always build)
+
+* Thu Jun 13 2013 Remi Collet <rcollet@redhat.com> 5.5.0-0.10.RC3
+- drop JSON extension
+
+* Tue Jun 11 2013 Remi Collet <rcollet@redhat.com> 5.5.0-0.9.RC3
+- build with system GD >= 2.1.0
+
+* Thu Jun 6 2013 Remi Collet <rcollet@redhat.com> 5.5.0-0.8.RC3
+- update to 5.5.0RC3
+
+* Thu May 23 2013 Remi Collet <rcollet@redhat.com> 5.5.0-0.7.RC2
+- update to 5.5.0RC2
+- add missing options in php-fpm.conf
+- run php-fpm in systemd notify mode
+- /etc/syconfig/php-fpm is deprecated (still used)
+- add /systemd/system/php-fpm.service.d
+
+* Wed May 8 2013 Remi Collet <rcollet@redhat.com> 5.5.0-0.6.RC1
+- update to 5.5.0RC1
+- remove reference to apache in some sub-packages description
+- add option to disable json extension
+- drop most (very old) "Obsoletes", add version to others
+
+* Thu Apr 25 2013 Remi Collet <rcollet@redhat.com> 5.5.0-0.5.beta4
+- update to 5.5.0beta4
+- zend_extension doesn't requires full path
+- refresh patch for system libzip
+- drop opcache patch merged upstream
+- add BuildRequires libvpx-devel for WebP support in php-gd
+- php-fpm own /usr/share/fpm
+
+* Thu Apr 11 2013 Remi Collet <rcollet@redhat.com> 5.5.0-0.4.beta3
+- update to 5.5.0beta3
+- allow wildcard in opcache.blacklist_filename and provide
+ default /etc/php.d/opcache-default.blacklist
+- clean spec, use only spaces (no tab)
+
+* Thu Apr 4 2013 Remi Collet <rcollet@redhat.com> 5.5.0-0.3.beta2
+- clean old deprecated options
+
+* Thu Mar 28 2013 Remi Collet <rcollet@redhat.com> 5.5.0-0.2.beta2
+- update to 5.5.0beta2
+- Zend Optimizer+ renamed to Zend OPcache
+- sync provided configuration with upstream
+
+* Fri Mar 22 2013 Remi Collet <rcollet@redhat.com> 5.5.0-0.1.beta1
+- update to 5.5.0beta1
+ http://fedoraproject.org/wiki/Features/Php55
+- new Zend OPcache extension in php-opccache new sub-package
+- don't display XFAIL tests in report
+- use xz compressed tarball
+- build simplexml and xml extensions shared (moved in php-xml)
+- build bz2, calendar, ctype, exif, ftp, gettext, iconv
+ sockets and tokenizer extensions shared (in php-common)
+- build gmp extension shared (in php-gmp new sub-package)
+- build shmop extension shared (moved in php-process)
+- drop some old compatibility provides (php-api, php-zend-abi, php-pecl-*)
+
+* Thu Mar 14 2013 Remi Collet <rcollet@redhat.com> 5.4.13-1
+- update to 5.4.13
+- security fix for CVE-2013-1643
+- Hardened build (links with -z now option)
+
+* Mon Mar 11 2013 Ralf Corsépius <corsepiu@fedoraproject.org> - 5.4.13-0.2.RC1
+- Remove %%config from %%{_sysconfdir}/rpm/macros.*
+ (https://fedorahosted.org/fpc/ticket/259).
+
+* Thu Feb 28 2013 Remi Collet <rcollet@redhat.com> 5.4.13-0.1.RC1
+- update to 5.4.13RC1
+- drop patches merged upstream
+
+* Sat Feb 23 2013 Karsten Hopp <karsten@redhat.com> 5.4.12-4
+- add support for ppc64p7 arch (Power7 optimized)
+
+* Thu Feb 21 2013 Remi Collet <rcollet@redhat.com> 5.4.12-3
+- make ZTS build optional (still enabled)
+
+* Wed Feb 20 2013 Remi Collet <rcollet@redhat.com> 5.4.12-2
+- make php-mysql package optional and disabled
+
+* Wed Feb 20 2013 Remi Collet <remi@fedoraproject.org> 5.4.12-1
+- update to 5.4.12
+- security fix for CVE-2013-1635
+- drop gdbm because of license incompatibility
+
+* Wed Feb 13 2013 Remi Collet <rcollet@redhat.com> 5.4.12-0.6.RC2
+- enable tokyocabinet and gdbm dba handlers
+
+* Wed Feb 13 2013 Remi Collet <rcollet@redhat.com> 5.4.12-0.5.RC2
+- update to 5.4.12RC2
+
+* Mon Feb 11 2013 Remi Collet <rcollet@redhat.com> 5.4.12-0.4.RC1
+- upstream patch (5.4.13) to fix dval to lval conversion
+ https://bugs.php.net/64142
+
+* Mon Feb 4 2013 Remi Collet <rcollet@redhat.com> 5.4.12-0.3.RC1
+- upstream patch (5.4.13) for 2 failed tests
+
+* Fri Feb 1 2013 Remi Collet <rcollet@redhat.com> 5.4.12-0.2.RC1
+- fix buit-in web server on ppc64 (fdset usage)
+ https://bugs.php.net/64128
+
+* Thu Jan 31 2013 Remi Collet <rcollet@redhat.com> 5.4.12-0.1.RC1
+- update to 5.4.12RC1
+
+* Mon Jan 28 2013 Remi Collet <rcollet@redhat.com> 5.4.11-3
+- rebuild for new libicu
+
+* Mon Jan 21 2013 Adam Tkac <atkac redhat com> - 5.4.11-2
+- rebuild due to "jpeg8-ABI" feature drop
+
+* Wed Jan 16 2013 Remi Collet <rcollet@redhat.com> 5.4.11-1
+- update to 5.4.11
+
+* Thu Jan 10 2013 Remi Collet <rcollet@redhat.com> 5.4.11-0.2.RC1
+- fix php.conf to allow MultiViews managed by php scripts
+
+* Thu Jan 10 2013 Remi Collet <rcollet@redhat.com> 5.4.11-0.1.RC1
+- update to 5.4.11RC1
+
+* Wed Dec 19 2012 Remi Collet <rcollet@redhat.com> 5.4.10-1
+- update to 5.4.10
+- remove patches merged upstream
+
+* Tue Dec 11 2012 Remi Collet <rcollet@redhat.com> 5.4.9-3
+- drop "Configure Command" from phpinfo output
+
+* Tue Dec 11 2012 Joe Orton <jorton@redhat.com> - 5.4.9-2
+- prevent php_config.h changes across (otherwise identical) rebuilds
+
+* Thu Nov 22 2012 Remi Collet <rcollet@redhat.com> 5.4.9-1
+- update to 5.4.9
+
+* Thu Nov 15 2012 Remi Collet <rcollet@redhat.com> 5.4.9-0.5.RC1
+- switch back to upstream generated scanner/parser
+
+* Thu Nov 15 2012 Remi Collet <rcollet@redhat.com> 5.4.9-0.4.RC1
+- use _httpd_contentdir macro and fix php.gif path
+
+* Wed Nov 14 2012 Remi Collet <rcollet@redhat.com> 5.4.9-0.3.RC1
+- improve system libzip patch to use pkg-config
+
+* Wed Nov 14 2012 Remi Collet <rcollet@redhat.com> 5.4.9-0.2.RC1
+- use _httpd_moddir macro
+
+* Wed Nov 14 2012 Remi Collet <rcollet@redhat.com> 5.4.9-0.1.RC1
+- update to 5.4.9RC1
+- improves php.conf (use FilesMatch + SetHandler)
+- improves filter (httpd module)
+- apply ldap_r patch on fedora >= 18 only
+
+* Fri Nov 9 2012 Remi Collet <rcollet@redhat.com> 5.4.8-6
+- clarify Licenses
+- missing provides xmlreader and xmlwriter
+- modernize spec
+- change php embedded library soname version to 5.4
+
+* Tue Nov 6 2012 Remi Collet <rcollet@redhat.com> 5.4.8-5
+- fix _httpd_mmn macro definition
+
+* Mon Nov 5 2012 Remi Collet <rcollet@redhat.com> 5.4.8-4
+- fix mysql_sock macro definition
+
+* Thu Oct 25 2012 Remi Collet <rcollet@redhat.com> 5.4.8-3
+- fix installed headers
+
+* Tue Oct 23 2012 Joe Orton <jorton@redhat.com> - 5.4.8-2
+- use libldap_r for ldap extension
+
+* Thu Oct 18 2012 Remi Collet <remi@fedoraproject.org> 5.4.8-1
+- update to 5.4.8
+- define both session.save_handler and session.save_path
+- fix possible segfault in libxml (#828526)
+- php-fpm: create apache user if needed
+- use SKIP_ONLINE_TEST during make test
+- php-devel requires pcre-devel and php-cli (instead of php)
+
+* Fri Oct 5 2012 Remi Collet <remi@fedoraproject.org> 5.4.7-11
+- provides php-phar
+- update systzdata patch to v10, timezone are case insensitive
+
+* Mon Oct 1 2012 Remi Collet <remi@fedoraproject.org> 5.4.7-10
+- fix typo in systemd macro
+
+* Mon Oct 1 2012 Remi Collet <remi@fedoraproject.org> 5.4.7-9
+- php-fpm: enable PrivateTmp
+- php-fpm: new systemd macros (#850268)
+- php-fpm: add upstream patch for startup issue (#846858)
+
+* Fri Sep 28 2012 Remi Collet <rcollet@redhat.com> 5.4.7-8
+- systemd integration, https://bugs.php.net/63085
+- no odbc call during timeout, https://bugs.php.net/63171
+- check sqlite3_column_table_name, https://bugs.php.net/63149
+
+* Mon Sep 24 2012 Remi Collet <rcollet@redhat.com> 5.4.7-7
+- most failed tests explained (i386, x86_64)
+
+* Wed Sep 19 2012 Remi Collet <rcollet@redhat.com> 5.4.7-6
+- fix for http://bugs.php.net/63126 (#783967)
+
+* Wed Sep 19 2012 Remi Collet <rcollet@redhat.com> 5.4.7-5
+- patch to ensure we use latest libdb (not libdb4)
+
+* Wed Sep 19 2012 Remi Collet <rcollet@redhat.com> 5.4.7-4
+- really fix rhel tests (use libzip and libdb)
+
+* Tue Sep 18 2012 Remi Collet <rcollet@redhat.com> 5.4.7-3
+- fix test to enable zip extension on RHEL-7
+
+* Mon Sep 17 2012 Remi Collet <remi@fedoraproject.org> 5.4.7-2
+- remove session.save_path from php.ini
+ move it to apache and php-fpm configuration files
+
+* Fri Sep 14 2012 Remi Collet <remi@fedoraproject.org> 5.4.7-1
+- update to 5.4.7
+ http://www.php.net/releases/5_4_7.php
+- php-fpm: don't daemonize
+
+* Mon Aug 20 2012 Remi Collet <remi@fedoraproject.org> 5.4.6-2
+- enable php-fpm on secondary arch (#849490)
+
+* Fri Aug 17 2012 Remi Collet <remi@fedoraproject.org> 5.4.6-1
+- update to 5.4.6
+- update to v9 of systzdata patch
+- backport fix for new libxml
+
+* Fri Jul 20 2012 Remi Collet <remi@fedoraproject.org> 5.4.5-1
+- update to 5.4.5
+
+* Mon Jul 02 2012 Remi Collet <remi@fedoraproject.org> 5.4.4-4
+- also provide php(language)%%{_isa}
+- define %%{php_version}
+
+* Mon Jul 02 2012 Remi Collet <remi@fedoraproject.org> 5.4.4-3
+- drop BR for libevent (#835671)
+- provide php(language) to allow version check
+
+* Thu Jun 21 2012 Remi Collet <remi@fedoraproject.org> 5.4.4-2
+- add missing provides (core, ereg, filter, standard)
+
+* Thu Jun 14 2012 Remi Collet <remi@fedoraproject.org> 5.4.4-1
+- update to 5.4.4 (CVE-2012-2143, CVE-2012-2386)
+- use /usr/lib/tmpfiles.d instead of /etc/tmpfiles.d
+- use /run/php-fpm instead of /var/run/php-fpm
+
+* Wed May 09 2012 Remi Collet <remi@fedoraproject.org> 5.4.3-1
+- update to 5.4.3 (CVE-2012-2311, CVE-2012-2329)
+
+* Thu May 03 2012 Remi Collet <remi@fedoraproject.org> 5.4.2-1
+- update to 5.4.2 (CVE-2012-1823)
+
+* Fri Apr 27 2012 Remi Collet <remi@fedoraproject.org> 5.4.1-1
+- update to 5.4.1
+
+* Wed Apr 25 2012 Joe Orton <jorton@redhat.com> - 5.4.0-6
+- rebuild for new icu
+- switch (conditionally) to libdb-devel
+
+* Sat Mar 31 2012 Remi Collet <remi@fedoraproject.org> 5.4.0-5
+- fix Loadmodule with MPM event (use ZTS if not MPM worker)
+- split conf.d/php.conf + conf.modules.d/10-php.conf with httpd 2.4
+
+* Thu Mar 29 2012 Joe Orton <jorton@redhat.com> - 5.4.0-4
+- rebuild for missing automatic provides (#807889)
+
+* Mon Mar 26 2012 Joe Orton <jorton@redhat.com> - 5.4.0-3
+- really use _httpd_mmn
+
+* Mon Mar 26 2012 Joe Orton <jorton@redhat.com> - 5.4.0-2
+- rebuild against httpd 2.4
+- use _httpd_mmn, _httpd_apxs macros
+
+* Fri Mar 02 2012 Remi Collet <remi@fedoraproject.org> 5.4.0-1
+- update to PHP 5.4.0 finale
+
+* Sat Feb 18 2012 Remi Collet <remi@fedoraproject.org> 5.4.0-0.4.RC8
+- update to PHP 5.4.0RC8
+
+* Sat Feb 04 2012 Remi Collet <remi@fedoraproject.org> 5.4.0-0.3.RC7
+- update to PHP 5.4.0RC7
+- provides env file for php-fpm (#784770)
+- add patch to use system libzip (thanks to spot)
+- don't provide INSTALL file
+
+* Wed Jan 25 2012 Remi Collet <remi@fedoraproject.org> 5.4.0-0.2.RC6
+- all binaries in /usr/bin with zts prefix
+
+* Wed Jan 18 2012 Remi Collet <remi@fedoraproject.org> 5.4.0-0.1.RC6
+- update to PHP 5.4.0RC6
+ https://fedoraproject.org/wiki/Features/Php54
+
+* Sun Jan 08 2012 Remi Collet <remi@fedoraproject.org> 5.3.8-4.4
+- fix systemd unit
+
+* Mon Dec 12 2011 Remi Collet <remi@fedoraproject.org> 5.3.8-4.3
+- switch to systemd
+
+* Tue Dec 06 2011 Adam Jackson <ajax@redhat.com> - 5.3.8-4.2
+- Rebuild for new libpng
+
+* Wed Oct 26 2011 Marcela Mašláňová <mmaslano@redhat.com> - 5.3.8-3.2
+- rebuild with new gmp without compat lib
+
+* Wed Oct 12 2011 Peter Schiffer <pschiffe@redhat.com> - 5.3.8-3.1
+- rebuild with new gmp
+
+* Wed Sep 28 2011 Remi Collet <remi@fedoraproject.org> 5.3.8-3
+- revert is_a() to php <= 5.3.6 behavior (from upstream)
+ with new option (allow_string) for new behavior
+
+* Tue Sep 13 2011 Remi Collet <remi@fedoraproject.org> 5.3.8-2
+- add mysqlnd sub-package
+- drop patch4, use --libdir to use /usr/lib*/php/build
+- add patch to redirect mysql.sock (in mysqlnd)
+
+* Tue Aug 23 2011 Remi Collet <remi@fedoraproject.org> 5.3.8-1
+- update to 5.3.8
+ http://www.php.net/ChangeLog-5.php#5.3.8
+
+* Thu Aug 18 2011 Remi Collet <remi@fedoraproject.org> 5.3.7-1
+- update to 5.3.7
+ http://www.php.net/ChangeLog-5.php#5.3.7
+- merge php-zts into php (#698084)
+
+* Tue Jul 12 2011 Joe Orton <jorton@redhat.com> - 5.3.6-4
+- rebuild for net-snmp SONAME bump
+
+* Mon Apr 4 2011 Remi Collet <Fedora@famillecollet.com> 5.3.6-3
+- enable mhash extension (emulated by hash extension)
+
+* Wed Mar 23 2011 Remi Collet <Fedora@famillecollet.com> 5.3.6-2
+- rebuild for new MySQL client library
+
+* Thu Mar 17 2011 Remi Collet <Fedora@famillecollet.com> 5.3.6-1
+- update to 5.3.6
+ http://www.php.net/ChangeLog-5.php#5.3.6
+- fix php-pdo arch specific requires
+
+* Tue Mar 15 2011 Joe Orton <jorton@redhat.com> - 5.3.5-6
+- disable zip extension per "No Bundled Libraries" policy (#551513)
+
+* Mon Mar 07 2011 Caolán McNamara <caolanm@redhat.com> 5.3.5-5
+- rebuild for icu 4.6
+
+* Mon Feb 28 2011 Remi Collet <Fedora@famillecollet.com> 5.3.5-4
+- fix systemd-units requires
+
+* Thu Feb 24 2011 Remi Collet <Fedora@famillecollet.com> 5.3.5-3
+- add tmpfiles.d configuration for php-fpm
+- add Arch specific requires/provides
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.3.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Fri Jan 07 2011 Remi Collet <Fedora@famillecollet.com> 5.3.5-1
+- update to 5.3.5
+ http://www.php.net/ChangeLog-5.php#5.3.5
+- clean duplicate configure options
+
+* Tue Dec 28 2010 Remi Collet <rpms@famillecollet.com> 5.3.4-2
+- rebuild against MySQL 5.5.8
+- remove all RPM_SOURCE_DIR
+
+* Sun Dec 12 2010 Remi Collet <rpms@famillecollet.com> 5.3.4-1.1
+- security patch from upstream for #660517
+
+* Sat Dec 11 2010 Remi Collet <Fedora@famillecollet.com> 5.3.4-1
+- update to 5.3.4
+ http://www.php.net/ChangeLog-5.php#5.3.4
+- move phpize to php-cli (see #657812)
+
+* Wed Dec 1 2010 Remi Collet <Fedora@famillecollet.com> 5.3.3-5
+- ghost /var/run/php-fpm (see #656660)
+- add filter_setup to not provides extensions as .so
+
+* Mon Nov 1 2010 Joe Orton <jorton@redhat.com> - 5.3.3-4
+- use mysql_config in libdir directly to avoid biarch build failures
+
+* Fri Oct 29 2010 Joe Orton <jorton@redhat.com> - 5.3.3-3
+- rebuild for new net-snmp
+
+* Sun Oct 10 2010 Remi Collet <Fedora@famillecollet.com> 5.3.3-2
+- add php-fpm sub-package
+
+* Thu Jul 22 2010 Remi Collet <Fedora@famillecollet.com> 5.3.3-1
+- PHP 5.3.3 released
+
+* Fri Apr 30 2010 Remi Collet <Fedora@famillecollet.com> 5.3.2-3
+- garbage collector upstream patches (#580236)
+
+* Fri Apr 02 2010 Caolán McNamara <caolanm@redhat.com> 5.3.2-2
+- rebuild for icu 4.4
+
+* Sat Mar 06 2010 Remi Collet <Fedora@famillecollet.com> 5.3.2-1
+- PHP 5.3.2 Released!
+- remove mime_magic option (now provided by fileinfo, by emu)
+- add patch for http://bugs.php.net/50578
+- remove patch for libedit (upstream)
+- add runselftest option to allow build without test suite
+
+* Fri Nov 27 2009 Joe Orton <jorton@redhat.com> - 5.3.1-3
+- update to v7 of systzdata patch
+
+* Wed Nov 25 2009 Joe Orton <jorton@redhat.com> - 5.3.1-2
+- fix build with autoconf 2.6x
+
+* Fri Nov 20 2009 Remi Collet <Fedora@famillecollet.com> 5.3.1-1
+- update to 5.3.1
+- remove openssl patch (merged upstream)
+- add provides for php-pecl-json
+- add prod/devel php.ini in doc
+
+* Tue Nov 17 2009 Tom "spot" Callaway <tcallawa@redhat.com> - 5.3.0-7
+- use libedit instead of readline to resolve licensing issues
+
+* Tue Aug 25 2009 Tomas Mraz <tmraz@redhat.com> - 5.3.0-6
+- rebuilt with new openssl
+
+* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.3.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Thu Jul 16 2009 Joe Orton <jorton@redhat.com> 5.3.0-4
+- rediff systzdata patch
+
+* Thu Jul 16 2009 Joe Orton <jorton@redhat.com> 5.3.0-3
+- update to v6 of systzdata patch; various fixes
+
+* Tue Jul 14 2009 Joe Orton <jorton@redhat.com> 5.3.0-2
+- update to v5 of systzdata patch; parses zone.tab and extracts
+ timezone->{country-code,long/lat,comment} mapping table
+
+* Sun Jul 12 2009 Remi Collet <Fedora@famillecollet.com> 5.3.0-1
+- update to 5.3.0
+- remove ncurses, dbase, mhash extensions
+- add enchant, sqlite3, intl, phar, fileinfo extensions
+- raise sqlite version to 3.6.0 (for sqlite3, build with --enable-load-extension)
+- sync with upstream "production" php.ini
+
+* Sun Jun 21 2009 Remi Collet <Fedora@famillecollet.com> 5.2.10-1
+- update to 5.2.10
+- add interbase sub-package
+
+* Sat Feb 28 2009 Remi Collet <Fedora@FamilleCollet.com> - 5.2.9-1
+- update to 5.2.9
+
+* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2.8-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Thu Feb 5 2009 Joe Orton <jorton@redhat.com> 5.2.8-9
+- add recode support, -recode subpackage (#106755)
+- add -zts subpackage with ZTS-enabled build of httpd SAPI
+- adjust php.conf to use -zts SAPI build for worker MPM
+
+* Wed Feb 4 2009 Joe Orton <jorton@redhat.com> 5.2.8-8
+- fix patch fuzz, renumber patches
+
+* Wed Feb 4 2009 Joe Orton <jorton@redhat.com> 5.2.8-7
+- drop obsolete configure args
+- drop -odbc patch (#483690)
+
+* Mon Jan 26 2009 Joe Orton <jorton@redhat.com> 5.2.8-5
+- split out sysvshm, sysvsem, sysvmsg, posix into php-process
+
+* Sun Jan 25 2009 Joe Orton <jorton@redhat.com> 5.2.8-4
+- move wddx to php-xml, build curl shared in -common
+- remove BR for expat-devel, bogus configure option
+
+* Fri Jan 23 2009 Joe Orton <jorton@redhat.com> 5.2.8-3
+- rebuild for new MySQL
+
+* Sat Dec 13 2008 Remi Collet <Fedora@FamilleCollet.com> 5.2.8-2
+- libtool 2 workaround for phpize (#476004)
+- add missing php_embed.h (#457777)
+
+* Tue Dec 09 2008 Remi Collet <Fedora@FamilleCollet.com> 5.2.8-1
+- update to 5.2.8
+
+* Sat Dec 06 2008 Remi Collet <Fedora@FamilleCollet.com> 5.2.7-1.1
+- libtool 2 workaround
+
+* Fri Dec 05 2008 Remi Collet <Fedora@FamilleCollet.com> 5.2.7-1
+- update to 5.2.7
+- enable pdo_dblib driver in php-mssql
+
+* Mon Nov 24 2008 Joe Orton <jorton@redhat.com> 5.2.6-7
+- tweak Summary, thanks to Richard Hughes
+
+* Tue Nov 4 2008 Joe Orton <jorton@redhat.com> 5.2.6-6
+- move gd_README to php-gd
+- update to r4 of systzdata patch; introduces a default timezone
+ name of "System/Localtime", which uses /etc/localtime (#469532)
+
+* Sat Sep 13 2008 Remi Collet <Fedora@FamilleCollet.com> 5.2.6-5
+- enable XPM support in php-gd
+- Fix BR for php-gd
+
+* Sun Jul 20 2008 Remi Collet <Fedora@FamilleCollet.com> 5.2.6-4
+- enable T1lib support in php-gd
+
+* Mon Jul 14 2008 Joe Orton <jorton@redhat.com> 5.2.6-3
+- update to 5.2.6
+- sync default php.ini with upstream
+- drop extension_dir from default php.ini, rely on hard-coded
+ default, to make php-common multilib-safe (#455091)
+- update to r3 of systzdata patch
+
+* Thu Apr 24 2008 Joe Orton <jorton@redhat.com> 5.2.5-7
+- split pspell extension out into php-spell (#443857)
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 5.2.5-6
+- Autorebuild for GCC 4.3
+
+* Fri Jan 11 2008 Joe Orton <jorton@redhat.com> 5.2.5-5
+- ext/date: use system timezone database
+
+* Fri Dec 28 2007 Joe Orton <jorton@redhat.com> 5.2.5-4
+- rebuild for libc-client bump
+
+* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 5.2.5-3
+- Rebuild for openssl bump
+
+* Wed Dec 5 2007 Joe Orton <jorton@redhat.com> 5.2.5-2
+- update to 5.2.5
+
+* Mon Oct 15 2007 Joe Orton <jorton@redhat.com> 5.2.4-3
+- correct pcre BR version (#333021)
+- restore metaphone fix (#205714)
+- add READMEs to php-cli
+
+* Sun Sep 16 2007 Joe Orton <jorton@redhat.com> 5.2.4-2
+- update to 5.2.4
+
+* Sun Sep 2 2007 Joe Orton <jorton@redhat.com> 5.2.3-9
+- rebuild for fixed APR
+
+* Tue Aug 28 2007 Joe Orton <jorton@redhat.com> 5.2.3-8
+- add ldconfig post/postun for -embedded (Hans de Goede)
+
+* Fri Aug 10 2007 Hans de Goede <j.w.r.degoede@hhs.nl> 5.2.3-7
+- add php-embedded sub-package
+
+* Fri Aug 10 2007 Joe Orton <jorton@redhat.com> 5.2.3-6
+- fix build with new glibc
+- fix License
+
+* Mon Jul 16 2007 Joe Orton <jorton@redhat.com> 5.2.3-5
+- define php_extdir in macros.php
+
+* Mon Jul 2 2007 Joe Orton <jorton@redhat.com> 5.2.3-4
+- obsolete php-dbase
+
+* Tue Jun 19 2007 Joe Orton <jorton@redhat.com> 5.2.3-3
+- add mcrypt, mhash, tidy, mssql subpackages (Dmitry Butskoy)
+- enable dbase extension and package in -common
+
+* Fri Jun 8 2007 Joe Orton <jorton@redhat.com> 5.2.3-2
+- update to 5.2.3 (thanks to Jeff Sheltren)
+
+* Wed May 9 2007 Joe Orton <jorton@redhat.com> 5.2.2-4
+- fix php-pdo *_arg_force_ref global symbol abuse (#216125)
+
+* Tue May 8 2007 Joe Orton <jorton@redhat.com> 5.2.2-3
+- rebuild against uw-imap-devel
+
+* Fri May 4 2007 Joe Orton <jorton@redhat.com> 5.2.2-2
+- update to 5.2.2
+- synch changes from upstream recommended php.ini
+
+* Thu Mar 29 2007 Joe Orton <jorton@redhat.com> 5.2.1-5
+- enable SASL support in LDAP extension (#205772)
+
+* Wed Mar 21 2007 Joe Orton <jorton@redhat.com> 5.2.1-4
+- drop mime_magic extension (deprecated by php-pecl-Fileinfo)
+
+* Mon Feb 19 2007 Joe Orton <jorton@redhat.com> 5.2.1-3
+- fix regression in str_{i,}replace (from upstream)
+
+* Thu Feb 15 2007 Joe Orton <jorton@redhat.com> 5.2.1-2
+- update to 5.2.1
+- add Requires(pre) for httpd
+- trim %%changelog to versions >= 5.0.0
+
+* Thu Feb 8 2007 Joe Orton <jorton@redhat.com> 5.2.0-10
+- bump default memory_limit to 32M (#220821)
+- mark config files noreplace again (#174251)
+- drop trailing dots from Summary fields
+- use standard BuildRoot
+- drop libtool15 patch (#226294)
+
+* Tue Jan 30 2007 Joe Orton <jorton@redhat.com> 5.2.0-9
+- add php(api), php(zend-abi) provides (#221302)
+- package /usr/share/php and append to default include_path (#225434)
+
+* Tue Dec 5 2006 Joe Orton <jorton@redhat.com> 5.2.0-8
+- fix filter.h installation path
+- fix php-zend-abi version (Remi Collet, #212804)
+
+* Tue Nov 28 2006 Joe Orton <jorton@redhat.com> 5.2.0-7
+- rebuild again
+
+* Tue Nov 28 2006 Joe Orton <jorton@redhat.com> 5.2.0-6
+- rebuild for net-snmp soname bump
+
+* Mon Nov 27 2006 Joe Orton <jorton@redhat.com> 5.2.0-5
+- build json and zip shared, in -common (Remi Collet, #215966)
+- obsolete php-json and php-pecl-zip
+- build readline extension into /usr/bin/php* (#210585)
+- change module subpackages to require php-common not php (#177821)
+
+* Wed Nov 15 2006 Joe Orton <jorton@redhat.com> 5.2.0-4
+- provide php-zend-abi (#212804)
+- add /etc/rpm/macros.php exporting interface versions
+- synch with upstream recommended php.ini
+
+* Wed Nov 15 2006 Joe Orton <jorton@redhat.com> 5.2.0-3
+- update to 5.2.0 (#213837)
+- php-xml provides php-domxml (#215656)
+- fix php-pdo-abi provide (#214281)
+
+* Tue Oct 31 2006 Joseph Orton <jorton@redhat.com> 5.1.6-4
+- rebuild for curl soname bump
+- add build fix for curl 7.16 API
+
+* Wed Oct 4 2006 Joe Orton <jorton@redhat.com> 5.1.6-3
+- from upstream: add safety checks against integer overflow in _ecalloc
+
+* Tue Aug 29 2006 Joe Orton <jorton@redhat.com> 5.1.6-2
+- update to 5.1.6 (security fixes)
+- bump default memory_limit to 16M (#196802)
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 5.1.4-8.1
+- rebuild
+
+* Fri Jun 9 2006 Joe Orton <jorton@redhat.com> 5.1.4-8
+- Provide php-posix (#194583)
+- only provide php-pcntl from -cli subpackage
+- add missing defattr's (thanks to Matthias Saou)
+
+* Fri Jun 9 2006 Joe Orton <jorton@redhat.com> 5.1.4-7
+- move Obsoletes for php-openssl to -common (#194501)
+- Provide: php-cgi from -cli subpackage
+
+* Fri Jun 2 2006 Joe Orton <jorton@redhat.com> 5.1.4-6
+- split out php-cli, php-common subpackages (#177821)
+- add php-pdo-abi version export (#193202)
+
+* Wed May 24 2006 Radek Vokal <rvokal@redhat.com> 5.1.4-5.1
+- rebuilt for new libnetsnmp
+
+* Thu May 18 2006 Joe Orton <jorton@redhat.com> 5.1.4-5
+- provide mod_php (#187891)
+- provide php-cli (#192196)
+- use correct LDAP fix (#181518)
+- define _GNU_SOURCE in php_config.h and leave it defined
+- drop (circular) dependency on php-pear
+
+* Mon May 8 2006 Joe Orton <jorton@redhat.com> 5.1.4-3
+- update to 5.1.4
+
+* Wed May 3 2006 Joe Orton <jorton@redhat.com> 5.1.3-3
+- update to 5.1.3
+
+* Tue Feb 28 2006 Joe Orton <jorton@redhat.com> 5.1.2-5
+- provide php-api (#183227)
+- add provides for all builtin modules (Tim Jackson, #173804)
+- own %%{_libdir}/php/pear for PEAR packages (per #176733)
+- add obsoletes to allow upgrade from FE4 PDO packages (#181863)
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 5.1.2-4.3
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 5.1.2-4.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Tue Jan 31 2006 Joe Orton <jorton@redhat.com> 5.1.2-4
+- rebuild for new libc-client soname
+
+* Mon Jan 16 2006 Joe Orton <jorton@redhat.com> 5.1.2-3
+- only build xmlreader and xmlwriter shared (#177810)
+
+* Fri Jan 13 2006 Joe Orton <jorton@redhat.com> 5.1.2-2
+- update to 5.1.2
+
+* Thu Jan 5 2006 Joe Orton <jorton@redhat.com> 5.1.1-8
+- rebuild again
+
+* Mon Jan 2 2006 Joe Orton <jorton@redhat.com> 5.1.1-7
+- rebuild for new net-snmp
+
+* Mon Dec 12 2005 Joe Orton <jorton@redhat.com> 5.1.1-6
+- enable short_open_tag in default php.ini again (#175381)
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Thu Dec 8 2005 Joe Orton <jorton@redhat.com> 5.1.1-5
+- require net-snmp for php-snmp (#174800)
+
+* Sun Dec 4 2005 Joe Orton <jorton@redhat.com> 5.1.1-4
+- add /usr/share/pear back to hard-coded include_path (#174885)
+
+* Fri Dec 2 2005 Joe Orton <jorton@redhat.com> 5.1.1-3
+- rebuild for httpd 2.2
+
+* Mon Nov 28 2005 Joe Orton <jorton@redhat.com> 5.1.1-2
+- update to 5.1.1
+- remove pear subpackage
+- enable pdo extensions (php-pdo subpackage)
+- remove non-standard conditional module builds
+- enable xmlreader extension
+
+* Thu Nov 10 2005 Tomas Mraz <tmraz@redhat.com> 5.0.5-6
+- rebuilt against new openssl
+
+* Mon Nov 7 2005 Joe Orton <jorton@redhat.com> 5.0.5-5
+- pear: update to XML_RPC 1.4.4, XML_Parser 1.2.7, Mail 1.1.9 (#172528)
+
+* Tue Nov 1 2005 Joe Orton <jorton@redhat.com> 5.0.5-4
+- rebuild for new libnetsnmp
+
+* Wed Sep 14 2005 Joe Orton <jorton@redhat.com> 5.0.5-3
+- update to 5.0.5
+- add fix for upstream #34435
+- devel: require autoconf, automake (#159283)
+- pear: update to HTTP-1.3.6, Mail-1.1.8, Net_SMTP-1.2.7, XML_RPC-1.4.1
+- fix imagettftext et al (upstream, #161001)
+
+* Thu Jun 16 2005 Joe Orton <jorton@redhat.com> 5.0.4-11
+- ldap: restore ldap_start_tls() function
+
+* Fri May 6 2005 Joe Orton <jorton@redhat.com> 5.0.4-10
+- disable RPATHs in shared extensions (#156974)
+
+* Tue May 3 2005 Joe Orton <jorton@redhat.com> 5.0.4-9
+- build simplexml_import_dom even with shared dom (#156434)
+- prevent truncation of copied files to ~2Mb (#155916)
+- install /usr/bin/php from CLI build alongside CGI
+- enable sysvmsg extension (#142988)
+
+* Mon Apr 25 2005 Joe Orton <jorton@redhat.com> 5.0.4-8
+- prevent build of builtin dba as well as shared extension
+
+* Wed Apr 13 2005 Joe Orton <jorton@redhat.com> 5.0.4-7
+- split out dba and bcmath extensions into subpackages
+- BuildRequire gcc-c++ to avoid AC_PROG_CXX{,CPP} failure (#155221)
+- pear: update to DB-1.7.6
+- enable FastCGI support in /usr/bin/php-cgi (#149596)
+
+* Wed Apr 13 2005 Joe Orton <jorton@redhat.com> 5.0.4-6
+- build /usr/bin/php with the CLI SAPI, and add /usr/bin/php-cgi,
+ built with the CGI SAPI (thanks to Edward Rudd, #137704)
+- add php(1) man page for CLI
+- fix more test cases to use -n when invoking php
+
+* Wed Apr 13 2005 Joe Orton <jorton@redhat.com> 5.0.4-5
+- rebuild for new libpq soname
+
+* Tue Apr 12 2005 Joe Orton <jorton@redhat.com> 5.0.4-4
+- bundle from PEAR: HTTP, Mail, XML_Parser, Net_Socket, Net_SMTP
+- snmp: disable MSHUTDOWN function to prevent error_log noise (#153988)
+- mysqli: add fix for crash on x86_64 (Georg Richter, upstream #32282)
+
+* Mon Apr 11 2005 Joe Orton <jorton@redhat.com> 5.0.4-3
+- build shared objects as PIC (#154195)
+
+* Mon Apr 4 2005 Joe Orton <jorton@redhat.com> 5.0.4-2
+- fix PEAR installation and bundle PEAR DB-1.7.5 package
+
+* Fri Apr 1 2005 Joe Orton <jorton@redhat.com> 5.0.4-1
+- update to 5.0.4 (#153068)
+- add .phps AddType to php.conf (#152973)
+- better gcc4 fix for libxmlrpc
+
+* Wed Mar 30 2005 Joe Orton <jorton@redhat.com> 5.0.3-5
+- BuildRequire mysql-devel >= 4.1
+- don't mark php.ini as noreplace to make upgrades work (#152171)
+- fix subpackage descriptions (#152628)
+- fix memset(,,0) in Zend (thanks to Dave Jones)
+- fix various compiler warnings in Zend
+
+* Thu Mar 24 2005 Joe Orton <jorton@redhat.com> 5.0.3-4
+- package mysqli extension in php-mysql
+- really enable pcntl (#142903)
+- don't build with --enable-safe-mode (#148969)
+- use "Instant Client" libraries for oci8 module (Kai Bolay, #149873)
+
+* Fri Feb 18 2005 Joe Orton <jorton@redhat.com> 5.0.3-3
+- fix build with GCC 4
+
+* Wed Feb 9 2005 Joe Orton <jorton@redhat.com> 5.0.3-2
+- install the ext/gd headers (#145891)
+- enable pcntl extension in /usr/bin/php (#142903)
+- add libmbfl array arithmetic fix (dcb314@hotmail.com, #143795)
+- add BuildRequire for recent pcre-devel (#147448)
+
+* Wed Jan 12 2005 Joe Orton <jorton@redhat.com> 5.0.3-1
+- update to 5.0.3 (thanks to Robert Scheck et al, #143101)
+- enable xsl extension (#142174)
+- package both the xsl and dom extensions in php-xml
+- enable soap extension, shared (php-soap package) (#142901)
+- add patches from upstream 5.0 branch:
+ * Zend_strtod.c compile fixes
+ * correct php_sprintf return value usage
+
+* Mon Nov 22 2004 Joe Orton <jorton@redhat.com> 5.0.2-8
+- update for db4-4.3 (Robert Scheck, #140167)
+- build against mysql-devel
+- run tests in %%check
+
+* Wed Nov 10 2004 Joe Orton <jorton@redhat.com> 5.0.2-7
+- truncate changelog at 4.3.1-1
+- merge from 4.3.x package:
+ - enable mime_magic extension and Require: file (#130276)
+
+* Mon Nov 8 2004 Joe Orton <jorton@redhat.com> 5.0.2-6
+- fix dom/sqlite enable/without confusion
+
+* Mon Nov 8 2004 Joe Orton <jorton@redhat.com> 5.0.2-5
+- fix phpize installation for lib64 platforms
+- add fix for segfault in variable parsing introduced in 5.0.2
+
+* Mon Nov 8 2004 Joe Orton <jorton@redhat.com> 5.0.2-4
+- update to 5.0.2 (#127980)
+- build against mysqlclient10-devel
+- use new RTLD_DEEPBIND to load extension modules
+- drop explicit requirement for elfutils-devel
+- use AddHandler in default conf.d/php.conf (#135664)
+- "fix" round() fudging for recent gcc on x86
+- disable sqlite pending audit of warnings and subpackage split
+
+* Fri Sep 17 2004 Joe Orton <jorton@redhat.com> 5.0.1-4
+- don't build dom extension into 2.0 SAPI
+
+* Fri Sep 17 2004 Joe Orton <jorton@redhat.com> 5.0.1-3
+- ExclusiveArch: x86 ppc x86_64 for the moment
+
+* Fri Sep 17 2004 Joe Orton <jorton@redhat.com> 5.0.1-2
+- fix default extension_dir and conf.d/php.conf
+
+* Thu Sep 9 2004 Joe Orton <jorton@redhat.com> 5.0.1-1
+- update to 5.0.1
+- only build shared modules once
+- put dom extension in php-dom subpackage again
+- move extension modules into %%{_libdir}/php/modules
+- don't use --with-regex=system, it's ignored for the apache* SAPIs
+
+* Wed Aug 11 2004 Tom Callaway <tcallawa@redhat.com>
+- Merge in some spec file changes from Jeff Stern (jastern@uci.edu)
+
+* Mon Aug 09 2004 Tom Callaway <tcallawa@redhat.com>
+- bump to 5.0.0
+- add patch to prevent clobbering struct re_registers from regex.h
+- remove domxml references, replaced with dom now built-in
+- fix php.ini to refer to php5 not php4