Commit in php7/trunk (PKGBUILD openssl3-eof.patch)

Evangelos Foutras Mon, 07 Nov 2022 14:00:05 -0800

    Date: Monday, November 7, 2022 @ 21:59:52
  Author: foutrelis
Revision: 460884


upgpkg: php7 7.4.33-2: avoid EOF detection with OpenSSL 3.0

Add patch from PHP 8 that sets the SSL_OP_IGNORE_UNEXPECTED_EOF option.

Added:
  php7/trunk/openssl3-eof.patch
Modified:
  php7/trunk/PKGBUILD

--------------------+
 PKGBUILD           |    5 ++-
 openssl3-eof.patch |   78 +++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+), 1 deletion(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2022-11-07 21:41:27 UTC (rev 460883)
+++ PKGBUILD    2022-11-07 21:59:52 UTC (rev 460884)
@@ -22,7 +22,7 @@
          'php7-tidy'
          'php7-xsl')
 pkgver=7.4.33
-pkgrel=1
+pkgrel=2
 arch=('x86_64')
 license=('PHP')
 url='https://www.php.net/'
@@ -33,11 +33,13 @@
 options=(debug)
 source=("https://php.net/distributions/php-${pkgver}.tar.xz"{,.asc}
         
'php7-openssl3.patch::https://github.com/php/php-src/commit/a0972deb0f441fc7991001cb51efc994b70a3b51.patch'
+        
'php7-openssl3-eof.patch::https://github.com/php/php-src/commit/74f75db0c3665677ec006cd379fd561feacffdc6.patch'
         'apache.patch' 'apache.conf' 'php-fpm.patch' 'php-fpm.tmpfiles' 
'php.ini.patch'
         'enchant-2.patch' 'php7.patch')
 
sha512sums=('499b63b99e5d8e8082ff89d3a91b4cb9a593ea7553b96e48863414c13d2e50275904ed29070e2232e529ee91160f505e6060a4d129cb5bf098aa5b6ea0928d3d'
             'SKIP'
             
'07b9ba019221cce6f73ebf1fdc6124f0730e42d19b9e0f846d132423da3b820439d4cba61fff8e65937c955ba985889f0c57ed2f94f380213e7279b0531c6444'
+            
'46112bf170c6f1772792c02d6cabd1219aa0d5e3123551cd2bbed480f7cf87743eece89539e3d62eacd312fd025235bb9f5ac1c771bd18ae5b606ae48a7bf222'
             
'284e3c0fe3ded0ff3e7d53f2769ea207b4591ef42abeff2d8604e87fe379929bd3b19ff294a729834f339a9da85ae7d4a7d8605890677222f78601b4f2b22247'
             
'eccbe1a0c7b2757ab3c982c871cc591a66ad70f085aaa0d44f93cacacedc7b8fd21b8d0c66471327ff070db1bab1ab83a802f6fa190f33bdd74c134975e3910e'
             
'bf43a99b464a873986954233e2df4841eeab21a6d359a777b7514a4fa34462c9f0fd85243086122ed50c766d5b60fb83f9f181a9b43ae1b527672a4f3b8d8eed'
@@ -53,6 +55,7 @@
        cd "${srcdir}/php-${pkgver}"
 
        patch -p1 -i "${srcdir}/php7-openssl3.patch"
+       patch -p1 -i "${srcdir}/php7-openssl3-eof.patch"
 
        patch -p0 -i "${srcdir}/apache.patch"
        patch -p0 -i "${srcdir}/php-fpm.patch"

Added: openssl3-eof.patch
===================================================================
--- openssl3-eof.patch                          (rev 0)
+++ openssl3-eof.patch  2022-11-07 21:59:52 UTC (rev 460884)
@@ -0,0 +1,78 @@
+From 74f75db0c3665677ec006cd379fd561feacffdc6 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <[email protected]>
+Date: Sun, 15 May 2022 13:49:17 +0100
+Subject: [PATCH] Fix bug #79589: ssl3_read_n:unexpected eof while reading
+
+The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
+truncation attack. However there are many non complaint servers and
+it is causing break for many users including potential majority
+of those where the truncation attack is not applicable. For that reason
+we try to keep behavior consitent with older OpenSSL versions which is
+also the path chosen by some other languages and web servers.
+
+Closes GH-8369
+---
+ NEWS                            |  4 ++++
+ ext/openssl/tests/bug79589.phpt | 21 +++++++++++++++++++++
+ ext/openssl/xp_ssl.c            |  5 +++++
+ 3 files changed, 30 insertions(+)
+ create mode 100644 ext/openssl/tests/bug79589.phpt
+
+diff --git a/NEWS b/NEWS
+index e270ad3f1821..83a891b47d06 100644
+--- a/NEWS
++++ b/NEWS
+@@ -11,6 +11,10 @@ PHP                                                         
               NEWS
+   . Fixed bug GH-8461 (tracing JIT crash after function/method change).
+     (Arnaud, Dmitry)
+ 
++- OpenSSL:
++  . Fixed bug #79589 (error:14095126:SSL routines:ssl3_read_n:unexpected eof
++    while reading). (Jakub Zelenka)
++
+ - SPL:
+   . Fixed bug GH-8235 (iterator_count() may run indefinitely). (cmb)
+ 
+diff --git a/ext/openssl/tests/bug79589.phpt b/ext/openssl/tests/bug79589.phpt
+new file mode 100644
+index 000000000000..5d277e8c63ce
+--- /dev/null
++++ b/ext/openssl/tests/bug79589.phpt
+@@ -0,0 +1,21 @@
++--TEST--
++Bug #65538: TLS unexpected EOF failure
++--EXTENSIONS--
++openssl
++--SKIPIF--
++<?php
++if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
++?>
++--FILE--
++<?php
++
++$release = file_get_contents(
++    'https://chromedriver.storage.googleapis.com/LATEST_RELEASE',
++    false,
++    stream_context_create(['ssl' => ['verify_peer'=> false]])
++);
++echo gettype($release);
++
++?>
++--EXPECT--
++string
+diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
+index 918b3ca5b21d..ce23fb29f429 100644
+--- a/ext/openssl/xp_ssl.c
++++ b/ext/openssl/xp_ssl.c
+@@ -1639,6 +1639,11 @@ int php_openssl_setup_crypto(php_stream *stream,
+ 
+       ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ 
++#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
++      /* Only for OpenSSL 3+ to keep OpenSSL 1.1.1 behavior */
++      ssl_ctx_options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
++#endif
++
+       if (!GET_VER_OPT("disable_compression") || zend_is_true(val)) {
+               ssl_ctx_options |= SSL_OP_NO_COMPRESSION;
+       }

Commit in php7/trunk (PKGBUILD openssl3-eof.patch)

Reply via email to