From 11cdddba8b85449e00369f581a9d535bd42b3fe2 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Mon, 26 Aug 2024 15:40:29 +0200
Subject: add backport for https://bugs.php.net/79589

  error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading
---
 php-7.4.26-openssl3.patch | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

(limited to 'php-7.4.26-openssl3.patch')

diff --git a/php-7.4.26-openssl3.patch b/php-7.4.26-openssl3.patch
index c23c517..aec6b96 100644
--- a/php-7.4.26-openssl3.patch
+++ b/php-7.4.26-openssl3.patch
@@ -2602,3 +2602,39 @@ index b136729cb5..d0fd976376 100644
 -- 
 2.41.0
 
+From 74f75db0c3665677ec006cd379fd561feacffdc6 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Sun, 15 May 2022 13:49:17 +0100
+Subject: [PATCH] Fix bug #79589: ssl3_read_n:unexpected eof while reading
+
+The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
+truncation attack. However there are many non complaint servers and
+it is causing break for many users including potential majority
+of those where the truncation attack is not applicable. For that reason
+we try to keep behavior consitent with older OpenSSL versions which is
+also the path chosen by some other languages and web servers.
+
+Closes GH-8369
+---
+ NEWS                            |  4 ++++
+ ext/openssl/tests/bug79589.phpt | 21 +++++++++++++++++++++
+ ext/openssl/xp_ssl.c            |  5 +++++
+ 3 files changed, 30 insertions(+)
+ create mode 100644 ext/openssl/tests/bug79589.phpt
+
+diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
+index 918b3ca5b21df..ce23fb29f4296 100644
+--- a/ext/openssl/xp_ssl.c
++++ b/ext/openssl/xp_ssl.c
+@@ -1652,6 +1652,11 @@ int php_openssl_setup_crypto(php_stream *stream,
+ 
+ 	ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ 
++#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
++	/* Only for OpenSSL 3+ to keep OpenSSL 1.1.1 behavior */
++	ssl_ctx_options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
++#endif
++
+ 	if (!GET_VER_OPT("disable_compression") || zend_is_true(val)) {
+ 		ssl_ctx_options |= SSL_OP_NO_COMPRESSION;
+ 	}
-- 
cgit