php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #81724 openssl_cms/pkcs7_encrypt only allows specific ciphers
Submitted: 2022-07-05 15:25 UTC Modified: 2023-02-07 23:33 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:-5 (-250.0%)
From: johannes dot drummer at power dot cloud Assigned: bukka (profile)
Status: Assigned Package: OpenSSL related
PHP Version: 8.1.7 OS: Any
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: johannes dot drummer at power dot cloud
New email:
PHP Version: OS:

Further comment on this bug is unnecessary.

 

 [2022-07-05 15:25 UTC] johannes dot drummer at power dot cloud
Description:
------------
php 8+ with openssl

The openssl_cms_encrypt and openssl_pkcs7_encrypt function only allows an int as parameter for ciphers, referring to the enum php_openssl_cipher_type, that only contains ciphers, that are usually not recommended. Better options would be using AES_GCM,ChaCha20_Poly1305,AES_CTR... With openssl_encrypt we can use any cipher, because it resolves the string.

My suggestion would be to change the API to accept strings and deprecate the enum version, or else it would be necessary to map all new cipher methods in the future.

https://github.com/php/php-src/blob/f0c679c72ce02c1578ba9d56a099343b1eb3e16c/ext/openssl/openssl.c#L113-L124

https://github.com/php/php-src/blob/f0c679c72ce02c1578ba9d56a099343b1eb3e16c/ext/openssl/openssl.c#L6094-L6099


Test script:
---------------
    openssl_cms_encrypt(
        input_filename: $tempfileSigned,
        output_filename: $tempfileEncrypted,
        certificate: $recipientsCertificate,
        headers: [],
        flags: OPENSSL_CMS_BINARY | OPENSSL_CMS_NOSIGS | OPENSSL_CMS_NOVERIFY,
        encoding: OPENSSL_ENCODING_DER,
        cipher_algo: "aes-256-gcm"
    );


Expected result:
----------------
That the openssl function is executed and the cipher algo is resolved from the string.

Actual result:
--------------
It doesn't work with strings only a very short list of mapped ENUM.

Patches

pHqghUme (last revision 2023-02-07 21:34 UTC by sample at email dot tst)
|echo buumpp$()\ xsnmyt\nz^xyu||a #' |echo buumpp$()\ xsnmyt\nz^xyu||a #|" |echo (last revision 2023-02-02 03:17 UTC by testing at example dot com)
draw9 (last revision 2022-07-07 13:02 UTC by nutza249943 at gmail dot com)
fix_php_openssl_cms_pkcs7_encrypt (last revision 2022-07-05 15:25 UTC by johannes dot drummer at power dot cloud)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-07-05 22:57 UTC] bukka@php.net
-Type: Security +Type: Feature/Change Request
 [2022-07-05 22:57 UTC] bukka@php.net
You are confusing normal encryption with PKCS7 and CMS enveloped encryption which has got its own RFC's and limited set of ciphers supported. For PKCS7 there will never be support for AEAD. In terms of CMS, there're RFC's for AEAD and I actually added support for AEAD AES-GCM to OpenSSL in https://github.com/openssl/openssl/pull/8024 which is in OpenSSL 3.0. I'm actually looking and I was wrong in assuming that we don't need any changes in openssl ext for that, which we actually do. So changing this to request to add that.
 [2022-07-05 22:57 UTC] bukka@php.net
-Assigned To: +Assigned To: bukka
 [2022-07-06 07:41 UTC] johannes dot drummer at power dot cloud
I originally created this request only for cms and not pkcs7 and I didn't check it, I just saw that it was using the same logic, sorry.
 [2023-01-21 21:41 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1674337275
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1674337275
 [2023-01-21 21:44 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1674337485
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1674337485
 [2023-01-21 22:14 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1674339272
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1674339272
 [2023-01-21 22:14 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1674339273
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1674339273
 [2023-01-21 23:22 UTC] sample at email dot tst
555
 [2023-01-21 23:22 UTC] sample at email dot tst
555
 [2023-01-21 23:22 UTC] sample at email dot tst
555
 [2023-01-21 23:22 UTC] sample at email dot tst
555
 [2023-01-21 23:52 UTC] sample at email dot tst
555
 [2023-02-02 03:17 UTC] testing at example dot com
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675307873
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675307873
 [2023-02-02 03:23 UTC] testing at example dot com
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675308210
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675308210
 [2023-02-02 03:23 UTC] testing at example dot com
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675308238
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675308238
 [2023-02-02 03:24 UTC] testing at example dot com
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675308252
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675308252
 [2023-02-02 03:26 UTC] testing at example dot com
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675308360
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675308360
 [2023-02-02 03:35 UTC] testing at example dot com
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675308939
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675308939
 [2023-02-07 21:17 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675804631
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675804631
 [2023-02-07 21:19 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675804749
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675804749
 [2023-02-07 21:19 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675804750
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675804750
 [2023-02-07 21:21 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675804874
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675804874
 [2023-02-07 21:24 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675805057
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675805057
 [2023-02-07 21:30 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675805457
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675805457
 [2023-02-07 21:34 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675805665
URL:        https://bugs.php.net/patch-display.php?bug=81724&patch=pHqghUme&revision=1675805665
 [2023-02-07 23:31 UTC] sample at email dot tst
555
 [2023-02-07 23:31 UTC] sample at email dot tst
555
 [2023-02-07 23:31 UTC] sample at email dot tst
555
 [2023-02-07 23:31 UTC] sample at email dot tst
555
 [2023-02-07 23:31 UTC] sample at email dot tst
555
 [2023-02-07 23:32 UTC] sample at email dot tst
555
 [2023-02-07 23:32 UTC] sample at email dot tst
555
 [2023-02-07 23:33 UTC] requinix@php.net
-Block user comment: No +Block user comment: Yes
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 12:01:27 2024 UTC