From 797c9367cdef173cc942e8e538db9f1c65c2c63c Mon Sep 17 00:00:00 2001
From: Graham Campbell <hello@gjcampbell.co.uk>
Date: Thu, 23 Nov 2023 17:14:06 +0000
Subject: [PATCH] Use OpenSSL 3.2 across all PHP versions

---
 layers/openssl3.patch       | 13 +++++++++++++
 php-80/Dockerfile           |  9 +++++++--
 php-81/Dockerfile           |  2 +-
 php-82/Dockerfile           |  2 +-
 php-83/Dockerfile           |  2 +-
 tests/test_2_extensions.php |  2 +-
 6 files changed, 24 insertions(+), 6 deletions(-)
 create mode 100644 layers/openssl3.patch

diff --git a/layers/openssl3.patch b/layers/openssl3.patch
new file mode 100644
index 00000000..8b053983
--- /dev/null
+++ b/layers/openssl3.patch
@@ -0,0 +1,13 @@
+Patch for OpenSSL 3 support for PHP 8.0
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -1325,7 +1325,9 @@
+ 	REGISTER_LONG_CONSTANT("OPENSSL_CMS_NOSIGS", CMS_NOSIGS, CONST_CS|CONST_PERSISTENT);
+ 
+ 	REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_PADDING", RSA_PKCS1_PADDING, CONST_CS|CONST_PERSISTENT);
++#ifdef RSA_SSLV23_PADDING
+ 	REGISTER_LONG_CONSTANT("OPENSSL_SSLV23_PADDING", RSA_SSLV23_PADDING, CONST_CS|CONST_PERSISTENT);
++#endif
+ 	REGISTER_LONG_CONSTANT("OPENSSL_NO_PADDING", RSA_NO_PADDING, CONST_CS|CONST_PERSISTENT);
+ 	REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING, CONST_CS|CONST_PERSISTENT);
+ 
diff --git a/php-80/Dockerfile b/php-80/Dockerfile
index ab523319..87a66a7d 100644
--- a/php-80/Dockerfile
+++ b/php-80/Dockerfile
@@ -103,13 +103,14 @@ RUN set -xe; \
 # Needed by:
 #   - curl
 #   - php
-ENV VERSION_OPENSSL=1.1.1w
+RUN yum install -y perl-IPC-Cmd
+ENV VERSION_OPENSSL=3.2.0
 ENV OPENSSL_BUILD_DIR=${BUILD_DIR}/openssl
 ENV CA_BUNDLE_SOURCE="https://curl.se/ca/cacert.pem"
 ENV CA_BUNDLE="${INSTALL_DIR}/bref/ssl/cert.pem"
 RUN set -xe; \
     mkdir -p ${OPENSSL_BUILD_DIR}; \
-    curl -Ls https://github.com/openssl/openssl/archive/OpenSSL_${VERSION_OPENSSL//./_}.tar.gz \
+    curl -Ls https://github.com/openssl/openssl/releases/download/openssl-${VERSION_OPENSSL}/openssl-${VERSION_OPENSSL}.tar.gz \
   | tar xzC ${OPENSSL_BUILD_DIR} --strip-components=1
 WORKDIR  ${OPENSSL_BUILD_DIR}/
 RUN CFLAGS="" \
@@ -384,6 +385,10 @@ ARG VERSION_PHP
 RUN curl --location --silent --show-error --fail https://www.php.net/get/php-${VERSION_PHP}.tar.gz/from/this/mirror \
   | tar xzC . --strip-components=1
 
+COPY layers/openssl3.patch ${PHP_BUILD_DIR}
+RUN patch -N -p1 -s < openssl3.patch
+RUN rm openssl3.patch
+
 # Configure the build
 # -fstack-protector-strong : Be paranoid about stack overflows
 # -fpic : Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
diff --git a/php-81/Dockerfile b/php-81/Dockerfile
index 8e5f81aa..cce8ddde 100644
--- a/php-81/Dockerfile
+++ b/php-81/Dockerfile
@@ -104,7 +104,7 @@ RUN set -xe; \
 #   - curl
 #   - php
 RUN yum install -y perl-IPC-Cmd
-ENV VERSION_OPENSSL=3.0.12
+ENV VERSION_OPENSSL=3.2.0
 ENV OPENSSL_BUILD_DIR=${BUILD_DIR}/openssl
 ENV CA_BUNDLE_SOURCE="https://curl.se/ca/cacert.pem"
 ENV CA_BUNDLE="${INSTALL_DIR}/bref/ssl/cert.pem"
diff --git a/php-82/Dockerfile b/php-82/Dockerfile
index cb2a0db3..d89079cb 100644
--- a/php-82/Dockerfile
+++ b/php-82/Dockerfile
@@ -104,7 +104,7 @@ RUN set -xe; \
 #   - curl
 #   - php
 RUN yum install -y perl-IPC-Cmd
-ENV VERSION_OPENSSL=3.0.12
+ENV VERSION_OPENSSL=3.2.0
 ENV OPENSSL_BUILD_DIR=${BUILD_DIR}/openssl
 ENV CA_BUNDLE_SOURCE="https://curl.se/ca/cacert.pem"
 ENV CA_BUNDLE="${INSTALL_DIR}/bref/ssl/cert.pem"
diff --git a/php-83/Dockerfile b/php-83/Dockerfile
index 2ae63a7a..07918155 100644
--- a/php-83/Dockerfile
+++ b/php-83/Dockerfile
@@ -104,7 +104,7 @@ RUN set -xe; \
 #   - curl
 #   - php
 RUN yum install -y perl-IPC-Cmd
-ENV VERSION_OPENSSL=3.0.12
+ENV VERSION_OPENSSL=3.2.0
 ENV OPENSSL_BUILD_DIR=${BUILD_DIR}/openssl
 ENV CA_BUNDLE_SOURCE="https://curl.se/ca/cacert.pem"
 ENV CA_BUNDLE="${INSTALL_DIR}/bref/ssl/cert.pem"
diff --git a/tests/test_2_extensions.php b/tests/test_2_extensions.php
index 101147fe..fd944f9d 100644
--- a/tests/test_2_extensions.php
+++ b/tests/test_2_extensions.php
@@ -81,7 +81,7 @@
     // https://github.com/brefphp/aws-lambda-layers/issues/42
     'curl-http2' => defined('CURL_HTTP_VERSION_2'),
     // Make sure we are not using the default AL2 OpenSSL version (7.79)
-    'curl-openssl' => str_starts_with(curl_version()['ssl_version'], 'OpenSSL/1.1.1') || str_starts_with(curl_version()['ssl_version'], 'OpenSSL/3.0'),
+    'curl-openssl' => str_starts_with(curl_version()['ssl_version'], 'OpenSSL/3.2'),
     // Check that the default certificate file exists
     // https://github.com/brefphp/aws-lambda-layers/issues/53
     'curl-openssl-certificates' => file_exists(openssl_get_cert_locations()['default_cert_file']),