php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #81724 openssl_cms/pkcs7_encrypt only allows specific ciphers
Submitted: 2022-07-05 15:25 UTC Modified: 2022-07-06 07:41 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: johannes dot drummer at power dot cloud Assigned: bukka (profile)
Status: Assigned Package: OpenSSL related
PHP Version: 8.1.7 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
47 - 29 = ?
Subscribe to this entry?

 
 [2022-07-05 15:25 UTC] johannes dot drummer at power dot cloud
Description:
------------
php 8+ with openssl

The openssl_cms_encrypt and openssl_pkcs7_encrypt function only allows an int as parameter for ciphers, referring to the enum php_openssl_cipher_type, that only contains ciphers, that are usually not recommended. Better options would be using AES_GCM,ChaCha20_Poly1305,AES_CTR... With openssl_encrypt we can use any cipher, because it resolves the string.

My suggestion would be to change the API to accept strings and deprecate the enum version, or else it would be necessary to map all new cipher methods in the future.

https://github.com/php/php-src/blob/f0c679c72ce02c1578ba9d56a099343b1eb3e16c/ext/openssl/openssl.c#L113-L124

https://github.com/php/php-src/blob/f0c679c72ce02c1578ba9d56a099343b1eb3e16c/ext/openssl/openssl.c#L6094-L6099


Test script:
---------------
    openssl_cms_encrypt(
        input_filename: $tempfileSigned,
        output_filename: $tempfileEncrypted,
        certificate: $recipientsCertificate,
        headers: [],
        flags: OPENSSL_CMS_BINARY | OPENSSL_CMS_NOSIGS | OPENSSL_CMS_NOVERIFY,
        encoding: OPENSSL_ENCODING_DER,
        cipher_algo: "aes-256-gcm"
    );


Expected result:
----------------
That the openssl function is executed and the cipher algo is resolved from the string.

Actual result:
--------------
It doesn't work with strings only a very short list of mapped ENUM.

Patches

draw9 (last revision 2022-07-07 13:02 UTC by nutza249943 at gmail dot com)
fix_php_openssl_cms_pkcs7_encrypt (last revision 2022-07-05 15:25 UTC by johannes dot drummer at power dot cloud)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-07-05 22:57 UTC] bukka@php.net
-Type: Security +Type: Feature/Change Request
 [2022-07-05 22:57 UTC] bukka@php.net
You are confusing normal encryption with PKCS7 and CMS enveloped encryption which has got its own RFC's and limited set of ciphers supported. For PKCS7 there will never be support for AEAD. In terms of CMS, there're RFC's for AEAD and I actually added support for AEAD AES-GCM to OpenSSL in https://github.com/openssl/openssl/pull/8024 which is in OpenSSL 3.0. I'm actually looking and I was wrong in assuming that we don't need any changes in openssl ext for that, which we actually do. So changing this to request to add that.
 [2022-07-05 22:57 UTC] bukka@php.net
-Assigned To: +Assigned To: bukka
 [2022-07-06 07:41 UTC] johannes dot drummer at power dot cloud
I originally created this request only for cms and not pkcs7 and I didn't check it, I just saw that it was using the same logic, sorry.
 [2022-08-29 06:49 UTC] civilgang1 at gmail dot com
Water Leaking Through Ceiling is a common defect in the house ceiling area. Generally, when water leaks through the ceiling area of the roof is known as a Ceiling Water Leakage.
    (https://civilgang.com/fix-leakage-ceiling/)github.com
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Sep 26 19:05:54 2022 UTC