php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61930 openssl corrupts ssl key resource when using openssl_get_publickey()
Submitted: 2012-05-03 20:18 UTC Modified: 2012-05-13 03:14 UTC
From: stas@php.net Assigned: pajoye (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.4.2 OS: *
Private report: No CVE-ID: None
 [2012-05-03 20:18 UTC] stas@php.net
Description:
------------
If openssl_get_publickey() is applied to a key resource, the resource that comes 
out of it has wrong refcount and if freed, the argument of 
openssl_get_publickey() gets freed too. 

Test script:
---------------
If we have a certificate in $cert and data in $data and valid signature in $sign, this works:


$key = openssl_get_publickey($cert);
var_dump(openssl_verify($data, $sig, $key));

however this does not:

$key = openssl_get_publickey($cert);
var_dump(openssl_get_publickey($key));
var_dump(openssl_verify($data, $sig, $key));

it produces errors like this:


Warning: openssl_verify(): 4 is not a valid OpenSSL X.509/key resource in /Users/smalyshev/osslbug.php on line 29

Warning: openssl_verify(): supplied key param cannot be coerced into a public key in /Users/smalyshev/osslbug.php on line 29



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-03 20:21 UTC] stas@php.net
The problem happens because php_openssl_evp_from_zval on receiving resource with 
public key, is doing just this:


if (resourceval) {
*resourceval = Z_LVAL_PP(val);
}

and then:

return (EVP_PKEY*)what;

while openssl_pkey_get_public() does this:

Z_TYPE_P(return_value) = IS_RESOURCE;
pkey = php_openssl_evp_from_zval(cert, 1, NULL, 1, &Z_LVAL_P(return_value) 
TSRMLS_CC);

so the refcount of the resource in return_value is never increased, even though 
it is assigned now to another variable. When the return_value is freed, so is 
the resource, thus corrupting data in $key.
 [2012-05-13 03:14 UTC] stas@php.net
-Assigned To: +Assigned To: pajoye
 [2013-02-17 21:30 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7b0107cc5d3d90655957680ef9cf916dce6875a7
Log: fix bug #61930: openssl corrupts ssl key resource when using openssl_get_publickey()
 [2013-02-17 21:30 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2014-08-10 12:29 UTC] fuzzy76 at fuzzy76 dot net
I see this wasn't backported to the 5.3.x series. Are there any known workarounds for those of us stuck on older versions?
 [2014-10-07 23:20 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=7b0107cc5d3d90655957680ef9cf916dce6875a7
Log: fix bug #61930: openssl corrupts ssl key resource when using openssl_get_publickey()
 [2014-10-07 23:31 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=7b0107cc5d3d90655957680ef9cf916dce6875a7
Log: fix bug #61930: openssl corrupts ssl key resource when using openssl_get_publickey()
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 09:01:32 2024 UTC