From d1620740ef12b7c9b4e5435fd9a9a760dcccfb04 Mon Sep 17 00:00:00 2001
From: Graham Campbell <hello@gjcampbell.co.uk>
Date: Tue, 14 Nov 2023 14:24:02 +0000
Subject: [PATCH 1/3] Use OpenSSL 3.2 across all PHP versions

---
 layers/openssl3.patch | 13 +++++++++++++
 php-80/Dockerfile     |  9 +++++++--
 php-81/Dockerfile     |  2 +-
 php-82/Dockerfile     |  2 +-
 php-83/Dockerfile     |  2 +-
 5 files changed, 23 insertions(+), 5 deletions(-)
 create mode 100644 layers/openssl3.patch

diff --git a/layers/openssl3.patch b/layers/openssl3.patch
new file mode 100644
index 00000000..8b053983
--- /dev/null
+++ b/layers/openssl3.patch
@@ -0,0 +1,13 @@
+Patch for OpenSSL 3 support for PHP 8.0
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -1325,7 +1325,9 @@
+ 	REGISTER_LONG_CONSTANT("OPENSSL_CMS_NOSIGS", CMS_NOSIGS, CONST_CS|CONST_PERSISTENT);
+ 
+ 	REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_PADDING", RSA_PKCS1_PADDING, CONST_CS|CONST_PERSISTENT);
++#ifdef RSA_SSLV23_PADDING
+ 	REGISTER_LONG_CONSTANT("OPENSSL_SSLV23_PADDING", RSA_SSLV23_PADDING, CONST_CS|CONST_PERSISTENT);
++#endif
+ 	REGISTER_LONG_CONSTANT("OPENSSL_NO_PADDING", RSA_NO_PADDING, CONST_CS|CONST_PERSISTENT);
+ 	REGISTER_LONG_CONSTANT("OPENSSL_PKCS1_OAEP_PADDING", RSA_PKCS1_OAEP_PADDING, CONST_CS|CONST_PERSISTENT);
+ 
diff --git a/php-80/Dockerfile b/php-80/Dockerfile
index ce2d1a43..01d5f2f0 100644
--- a/php-80/Dockerfile
+++ b/php-80/Dockerfile
@@ -103,13 +103,14 @@ RUN set -xe; \
 # Needed by:
 #   - curl
 #   - php
-ENV VERSION_OPENSSL=1.1.1w
+RUN yum install -y perl-IPC-Cmd
+ENV VERSION_OPENSSL=3.2.0-beta1
 ENV OPENSSL_BUILD_DIR=${BUILD_DIR}/openssl
 ENV CA_BUNDLE_SOURCE="https://curl.se/ca/cacert.pem"
 ENV CA_BUNDLE="${INSTALL_DIR}/bref/ssl/cert.pem"
 RUN set -xe; \
     mkdir -p ${OPENSSL_BUILD_DIR}; \
-    curl -Ls https://github.com/openssl/openssl/archive/OpenSSL_${VERSION_OPENSSL//./_}.tar.gz \
+    curl -Ls https://github.com/openssl/openssl/releases/download/openssl-${VERSION_OPENSSL}/openssl-${VERSION_OPENSSL}.tar.gz \
   | tar xzC ${OPENSSL_BUILD_DIR} --strip-components=1
 WORKDIR  ${OPENSSL_BUILD_DIR}/
 RUN CFLAGS="" \
@@ -384,6 +385,10 @@ ARG VERSION_PHP
 RUN curl --location --silent --show-error --fail https://www.php.net/get/php-${VERSION_PHP}.tar.gz/from/this/mirror \
   | tar xzC . --strip-components=1
 
+COPY layers/openssl3.patch ${PHP_BUILD_DIR}
+RUN patch -N -p1 -s < openssl3.patch
+RUN rm openssl3.patch
+
 # Configure the build
 # -fstack-protector-strong : Be paranoid about stack overflows
 # -fpic : Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
diff --git a/php-81/Dockerfile b/php-81/Dockerfile
index 3ef0bd60..a6614df9 100644
--- a/php-81/Dockerfile
+++ b/php-81/Dockerfile
@@ -104,7 +104,7 @@ RUN set -xe; \
 #   - curl
 #   - php
 RUN yum install -y perl-IPC-Cmd
-ENV VERSION_OPENSSL=3.0.12
+ENV VERSION_OPENSSL=3.2.0-beta1
 ENV OPENSSL_BUILD_DIR=${BUILD_DIR}/openssl
 ENV CA_BUNDLE_SOURCE="https://curl.se/ca/cacert.pem"
 ENV CA_BUNDLE="${INSTALL_DIR}/bref/ssl/cert.pem"
diff --git a/php-82/Dockerfile b/php-82/Dockerfile
index d74cedf7..159d1434 100644
--- a/php-82/Dockerfile
+++ b/php-82/Dockerfile
@@ -104,7 +104,7 @@ RUN set -xe; \
 #   - curl
 #   - php
 RUN yum install -y perl-IPC-Cmd
-ENV VERSION_OPENSSL=3.0.12
+ENV VERSION_OPENSSL=3.2.0-beta1
 ENV OPENSSL_BUILD_DIR=${BUILD_DIR}/openssl
 ENV CA_BUNDLE_SOURCE="https://curl.se/ca/cacert.pem"
 ENV CA_BUNDLE="${INSTALL_DIR}/bref/ssl/cert.pem"
diff --git a/php-83/Dockerfile b/php-83/Dockerfile
index 5befd8e1..3202a636 100644
--- a/php-83/Dockerfile
+++ b/php-83/Dockerfile
@@ -105,7 +105,7 @@ RUN set -xe; \
 #   - curl
 #   - php
 RUN yum install -y perl-IPC-Cmd
-ENV VERSION_OPENSSL=3.0.12
+ENV VERSION_OPENSSL=3.2.0-beta1
 ENV OPENSSL_BUILD_DIR=${BUILD_DIR}/openssl
 ENV CA_BUNDLE_SOURCE="https://curl.se/ca/cacert.pem"
 ENV CA_BUNDLE="${INSTALL_DIR}/bref/ssl/cert.pem"

From 9ff4165faa1cfd7dfe4f5773cb47ac3c7665223d Mon Sep 17 00:00:00 2001
From: Graham Campbell <hello@gjcampbell.co.uk>
Date: Tue, 14 Nov 2023 15:14:09 +0000
Subject: [PATCH 2/3] Update test_2_extensions.php

---
 tests/test_2_extensions.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test_2_extensions.php b/tests/test_2_extensions.php
index 101147fe..fd944f9d 100644
--- a/tests/test_2_extensions.php
+++ b/tests/test_2_extensions.php
@@ -81,7 +81,7 @@
     // https://github.com/brefphp/aws-lambda-layers/issues/42
     'curl-http2' => defined('CURL_HTTP_VERSION_2'),
     // Make sure we are not using the default AL2 OpenSSL version (7.79)
-    'curl-openssl' => str_starts_with(curl_version()['ssl_version'], 'OpenSSL/1.1.1') || str_starts_with(curl_version()['ssl_version'], 'OpenSSL/3.0'),
+    'curl-openssl' => str_starts_with(curl_version()['ssl_version'], 'OpenSSL/3.2'),
     // Check that the default certificate file exists
     // https://github.com/brefphp/aws-lambda-layers/issues/53
     'curl-openssl-certificates' => file_exists(openssl_get_cert_locations()['default_cert_file']),

From 6b5fa9cbb2856f3437654e4781e8dd182d2cf181 Mon Sep 17 00:00:00 2001
From: Graham Campbell <GrahamCampbell@users.noreply.github.com>
Date: Thu, 16 Nov 2023 10:53:32 +0000
Subject: [PATCH 3/3] Confirm that the PHP 8.0 build fails without the patch

---
 php-80/Dockerfile | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/php-80/Dockerfile b/php-80/Dockerfile
index 01d5f2f0..767c234f 100644
--- a/php-80/Dockerfile
+++ b/php-80/Dockerfile
@@ -385,10 +385,6 @@ ARG VERSION_PHP
 RUN curl --location --silent --show-error --fail https://www.php.net/get/php-${VERSION_PHP}.tar.gz/from/this/mirror \
   | tar xzC . --strip-components=1
 
-COPY layers/openssl3.patch ${PHP_BUILD_DIR}
-RUN patch -N -p1 -s < openssl3.patch
-RUN rm openssl3.patch
-
 # Configure the build
 # -fstack-protector-strong : Be paranoid about stack overflows
 # -fpic : Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)