|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2012-05-03 20:18 UTC] stas@php.net
Description: ------------ If openssl_get_publickey() is applied to a key resource, the resource that comes out of it has wrong refcount and if freed, the argument of openssl_get_publickey() gets freed too. Test script: --------------- If we have a certificate in $cert and data in $data and valid signature in $sign, this works: $key = openssl_get_publickey($cert); var_dump(openssl_verify($data, $sig, $key)); however this does not: $key = openssl_get_publickey($cert); var_dump(openssl_get_publickey($key)); var_dump(openssl_verify($data, $sig, $key)); it produces errors like this: Warning: openssl_verify(): 4 is not a valid OpenSSL X.509/key resource in /Users/smalyshev/osslbug.php on line 29 Warning: openssl_verify(): supplied key param cannot be coerced into a public key in /Users/smalyshev/osslbug.php on line 29 PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Nov 09 04:00:01 2025 UTC |
The problem happens because php_openssl_evp_from_zval on receiving resource with public key, is doing just this: if (resourceval) { *resourceval = Z_LVAL_PP(val); } and then: return (EVP_PKEY*)what; while openssl_pkey_get_public() does this: Z_TYPE_P(return_value) = IS_RESOURCE; pkey = php_openssl_evp_from_zval(cert, 1, NULL, 1, &Z_LVAL_P(return_value) TSRMLS_CC); so the refcount of the resource in return_value is never increased, even though it is assigned now to another variable. When the return_value is freed, so is the resource, thus corrupting data in $key.