|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61930 openssl corrupts ssl key resource when using openssl_get_publickey()
Submitted: 2012-05-03 20:18 UTC Modified: 2012-05-13 03:14 UTC
From: Assigned: pajoye
Status: Closed Package: OpenSSL related
PHP Version: 5.4.2 OS: *
Private report: No CVE-ID:
 [2012-05-03 20:18 UTC]
If openssl_get_publickey() is applied to a key resource, the resource that comes 
out of it has wrong refcount and if freed, the argument of 
openssl_get_publickey() gets freed too. 

Test script:
If we have a certificate in $cert and data in $data and valid signature in $sign, this works:

$key = openssl_get_publickey($cert);
var_dump(openssl_verify($data, $sig, $key));

however this does not:

$key = openssl_get_publickey($cert);
var_dump(openssl_verify($data, $sig, $key));

it produces errors like this:

Warning: openssl_verify(): 4 is not a valid OpenSSL X.509/key resource in /Users/smalyshev/osslbug.php on line 29

Warning: openssl_verify(): supplied key param cannot be coerced into a public key in /Users/smalyshev/osslbug.php on line 29


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-03 20:21 UTC]
The problem happens because php_openssl_evp_from_zval on receiving resource with 
public key, is doing just this:

if (resourceval) {
*resourceval = Z_LVAL_PP(val);

and then:

return (EVP_PKEY*)what;

while openssl_pkey_get_public() does this:

Z_TYPE_P(return_value) = IS_RESOURCE;
pkey = php_openssl_evp_from_zval(cert, 1, NULL, 1, &Z_LVAL_P(return_value) 

so the refcount of the resource in return_value is never increased, even though 
it is assigned now to another variable. When the return_value is freed, so is 
the resource, thus corrupting data in $key.
 [2012-05-13 03:14 UTC]
-Assigned To: +Assigned To: pajoye
 [2013-02-17 21:30 UTC]
Automatic comment on behalf of stas
Log: fix bug #61930: openssl corrupts ssl key resource when using openssl_get_publickey()
 [2013-02-17 21:30 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 08:02:33 2014 UTC