PKGBUILDs/extra/php7/openssl3-eof.patch
2022-11-08 01:06:22 +00:00

78 lines
2.5 KiB
Diff

From 74f75db0c3665677ec006cd379fd561feacffdc6 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sun, 15 May 2022 13:49:17 +0100
Subject: [PATCH] Fix bug #79589: ssl3_read_n:unexpected eof while reading
The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
truncation attack. However there are many non complaint servers and
it is causing break for many users including potential majority
of those where the truncation attack is not applicable. For that reason
we try to keep behavior consitent with older OpenSSL versions which is
also the path chosen by some other languages and web servers.
Closes GH-8369
---
NEWS | 4 ++++
ext/openssl/tests/bug79589.phpt | 21 +++++++++++++++++++++
ext/openssl/xp_ssl.c | 5 +++++
3 files changed, 30 insertions(+)
create mode 100644 ext/openssl/tests/bug79589.phpt
diff --git a/NEWS b/NEWS
index e270ad3f1821..83a891b47d06 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,10 @@ PHP NEWS
. Fixed bug GH-8461 (tracing JIT crash after function/method change).
(Arnaud, Dmitry)
+- OpenSSL:
+ . Fixed bug #79589 (error:14095126:SSL routines:ssl3_read_n:unexpected eof
+ while reading). (Jakub Zelenka)
+
- SPL:
. Fixed bug GH-8235 (iterator_count() may run indefinitely). (cmb)
diff --git a/ext/openssl/tests/bug79589.phpt b/ext/openssl/tests/bug79589.phpt
new file mode 100644
index 000000000000..5d277e8c63ce
--- /dev/null
+++ b/ext/openssl/tests/bug79589.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #65538: TLS unexpected EOF failure
+--EXTENSIONS--
+openssl
+--SKIPIF--
+<?php
+if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
+?>
+--FILE--
+<?php
+
+$release = file_get_contents(
+ 'https://chromedriver.storage.googleapis.com/LATEST_RELEASE',
+ false,
+ stream_context_create(['ssl' => ['verify_peer'=> false]])
+);
+echo gettype($release);
+
+?>
+--EXPECT--
+string
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index 918b3ca5b21d..ce23fb29f429 100644
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -1639,6 +1639,11 @@ int php_openssl_setup_crypto(php_stream *stream,
ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+ /* Only for OpenSSL 3+ to keep OpenSSL 1.1.1 behavior */
+ ssl_ctx_options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
+#endif
+
if (!GET_VER_OPT("disable_compression") || zend_is_true(val)) {
ssl_ctx_options |= SSL_OP_NO_COMPRESSION;
}