From 26860a7c5207dbe1aecf448fc9353970ec45bc02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Mon, 1 Aug 2022 09:33:49 +0200
Subject: [PATCH] Add upstream patch for OpenSSL 3.0 unexpected EOF failure

---
 ...l3_read_n-unexpected-eof-while-readi.patch | 61 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 62 insertions(+)
 create mode 100644 debian/patches/0052-Fix-bug-79589-ssl3_read_n-unexpected-eof-while-readi.patch

diff --git a/debian/patches/0052-Fix-bug-79589-ssl3_read_n-unexpected-eof-while-readi.patch b/debian/patches/0052-Fix-bug-79589-ssl3_read_n-unexpected-eof-while-readi.patch
new file mode 100644
index 0000000000..d420b472e4
--- /dev/null
+++ b/debian/patches/0052-Fix-bug-79589-ssl3_read_n-unexpected-eof-while-readi.patch
@@ -0,0 +1,61 @@
+From: Jakub Zelenka <bukka@php.net>
+Date: Sun, 15 May 2022 13:49:17 +0100
+Subject: Fix bug #79589: ssl3_read_n:unexpected eof while reading
+
+The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
+truncation attack. However there are many non complaint servers and
+it is causing break for many users including potential majority
+of those where the truncation attack is not applicable. For that reason
+we try to keep behavior consitent with older OpenSSL versions which is
+also the path chosen by some other languages and web servers.
+
+Closes GH-8369
+---
+ ext/openssl/tests/bug79589.phpt | 21 +++++++++++++++++++++
+ ext/openssl/xp_ssl.c            |  5 +++++
+ 2 files changed, 26 insertions(+)
+ create mode 100644 ext/openssl/tests/bug79589.phpt
+
+diff --git a/ext/openssl/tests/bug79589.phpt b/ext/openssl/tests/bug79589.phpt
+new file mode 100644
+index 0000000..5d277e8
+--- /dev/null
++++ b/ext/openssl/tests/bug79589.phpt
+@@ -0,0 +1,21 @@
++--TEST--
++Bug #65538: TLS unexpected EOF failure
++--EXTENSIONS--
++openssl
++--SKIPIF--
++<?php
++if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
++?>
++--FILE--
++<?php
++
++$release = file_get_contents(
++    'https://chromedriver.storage.googleapis.com/LATEST_RELEASE',
++    false,
++    stream_context_create(['ssl' => ['verify_peer'=> false]])
++);
++echo gettype($release);
++
++?>
++--EXPECT--
++string
+diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
+index 9710e44..1f808bd 100644
+--- a/ext/openssl/xp_ssl.c
++++ b/ext/openssl/xp_ssl.c
+@@ -1640,6 +1640,11 @@ int php_openssl_setup_crypto(php_stream *stream,
+ 
+ 	ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ 
++#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
++	/* Only for OpenSSL 3+ to keep OpenSSL 1.1.1 behavior */
++	ssl_ctx_options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
++#endif
++
+ 	if (!GET_VER_OPT("disable_compression") || zend_is_true(val)) {
+ 		ssl_ctx_options |= SSL_OP_NO_COMPRESSION;
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index c92d33e65a..8b0fae725e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -49,3 +49,4 @@
 0049-Add-minimal-OpenSSL-3.0-patch.patch
 0050-Use-true-false-instead-of-TRUE-FALSE-in-intl.patch
 0051-ax_gcc_func_attribute-Revise-the-detection-of-unknow.patch
+0052-Fix-bug-79589-ssl3_read_n-unexpected-eof-while-readi.patch
-- 
GitLab