php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74022 PHP Fast CGI crashes when reading from a pfx file with valid password.
Submitted: 2017-01-31 13:13 UTC Modified: 2017-05-18 11:01 UTC
From: ckmailid at gmail dot com Assigned: ab
Status: Closed Package: OpenSSL related
PHP Version: 7.0.15 OS: Windows 10
Private report: No CVE-ID:
 [2017-01-31 13:13 UTC] ckmailid at gmail dot com
Description:
------------
PHP process crashes when i use a pfx file to read using function openssl_pkcs12_read with valid password.
But it gives error if password is wrong, that is working fine. 

That pfx file is working well with openssl command line utility

Environment :

PHP : 7 .0.9
OS: windows 10
Server: IIS, Using Fast CGI
certificate : It is specially exported certificate from windows. when a highly secure certificate is exported , it asks for login user password,  and after 4 attempt with wrong password it export the certificate even after wrong password.
You can do it by import a pfx file that with enabling strong private key encrypting checkbox on wizard and after finish set security level HIGH.

I tried it on linux with gdb, it shows Segmentation fault (core dumped).


Test script:
---------------
if (!$cert_store = file_get_contents("sample_export.pfx")) {
    echo "Error: Unable to read the cert file\n";
    exit;
}

if (openssl_pkcs12_read($cert_store, $cert_info, "csos")) {
    echo "Certificate Information\n";
    print_r($cert_info);
} else {
    echo "Error: Unable to read the cert store.\n";
    exit;
}


Expected result:
----------------
it will crash the PHP process.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-31 13:48 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2017-01-31 13:48 UTC] ab@php.net
Thanks for the report. Could you provide the backtrace? Also, were it possible to get some .pfx file for debugging? If not your exact file, then any that reproduces.

Thanks.
 [2017-02-01 06:50 UTC] ckmailid at gmail dot com
-Status: Feedback +Status: Open
 [2017-02-01 06:50 UTC] ckmailid at gmail dot com
Hi, i generate a sample key and made a sample pfx file that can reproduce but i didn't find any option to attach a file. I am afraid but can you please guide me where to upload sample pfx file.
 [2017-02-01 12:55 UTC] ab@php.net
This tracker doesn't allow file uploads except patches, but that's not the case for the purpose. If there are text files only, please gist them somewhere and post a link. Otherwise, probably no way around than sharing them through dropbox or a similar service.

Thanks.
 [2017-02-01 13:01 UTC] ckmailid at gmail dot com
Thanks for the suggestion,

please use the following link to get the file
 
https://drive.google.com/file/d/0Bzazdkn-4vEOTk5VYW8wUTM1LXM/view?usp=sharing

let me know in case of any difficulties.
 [2017-02-02 12:09 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6fc0ae638acd2a66a4181078f4ac5d789762d9de
Log: Fixed #74022 PHP Fast CGI crashes when reading from a pfx file.
 [2017-02-02 12:09 UTC] ab@php.net
-Status: Open +Status: Closed
 [2017-05-17 06:55 UTC] falundir at gmail dot com
Probably this is the fix that broke openssl_pkcs12_read - starting from PHP 7.0.17 and 7.1.3 this function returns only one certificate in 'extracerts', even when there are more than one.

See here: https://3v4l.org/r3brq
 [2017-05-17 07:45 UTC] falundir at gmail dot com
Looking at the diff, I think that sk_X509_num(ca) should be evaluated before the for-loop, because sk_X509_pop probably changes the sk_X509_num result.
 [2017-05-17 09:56 UTC] falundir at gmail dot com
I've confirmed this suspicion. Following patch (against 7.1.5) fixes the problem:

@@ -2972,11 +2972,9 @@ PHP_FUNCTION(openssl_pkcs12_read)
 		}
 
 		if (ca && sk_X509_num(ca)) {
-			int num;
 			array_init(&zextracerts);
 
-			num = sk_X509_num(ca);
-			for (i = 0; i < num; i++) {
+			for (i = 0; i < sk_X509_num(ca); i++) {
 				zval zextracert;
 				X509* aCA = sk_X509_pop(ca);
 				if (!aCA) break;
 [2017-05-18 11:01 UTC] ab@php.net
-Assigned To: +Assigned To: ab
 [2017-05-18 11:01 UTC] ab@php.net
Thanks for the ping. Fixed in 464c1639ae544e3952823caf169d2e4199a32fc3, please check the current 7.0+ snapshots.

Thanks.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC