php7/trunk/openssl3-eof.patch

   1 From 74f75db0c3665677ec006cd379fd561feacffdc6 Mon Sep 17 00:00:00 2001
   2 From: Jakub Zelenka <bukka@php.net>
   3 Date: Sun, 15 May 2022 13:49:17 +0100
   4 Subject: [PATCH] Fix bug #79589: ssl3_read_n:unexpected eof while reading
   5
   6 The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
   7 truncation attack. However there are many non complaint servers and
   8 it is causing break for many users including potential majority
   9 of those where the truncation attack is not applicable. For that reason
  10 we try to keep behavior consitent with older OpenSSL versions which is
  11 also the path chosen by some other languages and web servers.
  12
  13 Closes GH-8369
  14 ---
  15  NEWS                            |  4 ++++
  16  ext/openssl/tests/bug79589.phpt | 21 +++++++++++++++++++++
  17  ext/openssl/xp_ssl.c            |  5 +++++
  18  3 files changed, 30 insertions(+)
  19  create mode 100644 ext/openssl/tests/bug79589.phpt
  20
  21 diff --git a/NEWS b/NEWS
  22 index e270ad3f1821..83a891b47d06 100644
  23 --- a/NEWS
  24 +++ b/NEWS
  25 @@ -11,6 +11,10 @@ PHP                                                                        NEWS
  26    . Fixed bug GH-8461 (tracing JIT crash after function/method change).
  27      (Arnaud, Dmitry)
  28
  29 +- OpenSSL:
  30 +  . Fixed bug #79589 (error:14095126:SSL routines:ssl3_read_n:unexpected eof
  31 +    while reading). (Jakub Zelenka)
  32 +
  33  - SPL:
  34    . Fixed bug GH-8235 (iterator_count() may run indefinitely). (cmb)
  35
  36 diff --git a/ext/openssl/tests/bug79589.phpt b/ext/openssl/tests/bug79589.phpt
  37 new file mode 100644
  38 index 000000000000..5d277e8c63ce
  39 --- /dev/null
  40 +++ b/ext/openssl/tests/bug79589.phpt
  41 @@ -0,0 +1,21 @@
  42 +--TEST--
  43 +Bug #65538: TLS unexpected EOF failure
  44 +--EXTENSIONS--
  45 +openssl
  46 +--SKIPIF--
  47 +<?php
  48 +if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
  49 +?>
  50 +--FILE--
  51 +<?php
  52 +
  53 +$release = file_get_contents(
  54 +    'https://chromedriver.storage.googleapis.com/LATEST_RELEASE',
  55 +    false,
  56 +    stream_context_create(['ssl' => ['verify_peer'=> false]])
  57 +);
  58 +echo gettype($release);
  59 +
  60 +?>
  61 +--EXPECT--
  62 +string
  63 diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
  64 index 918b3ca5b21d..ce23fb29f429 100644
  65 --- a/ext/openssl/xp_ssl.c
  66 +++ b/ext/openssl/xp_ssl.c
  67 @@ -1639,6 +1639,11 @@ int php_openssl_setup_crypto(php_stream *stream,
  68
  69         ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
  70
  71 +#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
  72 +       /* Only for OpenSSL 3+ to keep OpenSSL 1.1.1 behavior */
  73 +       ssl_ctx_options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
  74 +#endif
  75 +
  76         if (!GET_VER_OPT("disable_compression") || zend_is_true(val)) {
  77                 ssl_ctx_options |= SSL_OP_NO_COMPRESSION;
  78         }