|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Your comment was added to the bug successfully.
Request #81724 openssl_cms/pkcs7_encrypt only allows specific ciphers
Submitted: 2022-07-05 15:25 UTC Modified: 2023-02-07 23:33 UTC
Avg. Score:4.3 ± 0.9
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:-2 (-40.0%)
From: johannes dot drummer at power dot cloud Assigned: bukka (profile)
Status: Assigned Package: OpenSSL related
PHP Version: 8.1.7 OS: Any
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2022-07-05 15:25 UTC] johannes dot drummer at power dot cloud
php 8+ with openssl

The openssl_cms_encrypt and openssl_pkcs7_encrypt function only allows an int as parameter for ciphers, referring to the enum php_openssl_cipher_type, that only contains ciphers, that are usually not recommended. Better options would be using AES_GCM,ChaCha20_Poly1305,AES_CTR... With openssl_encrypt we can use any cipher, because it resolves the string.

My suggestion would be to change the API to accept strings and deprecate the enum version, or else it would be necessary to map all new cipher methods in the future.

Test script:
        input_filename: $tempfileSigned,
        output_filename: $tempfileEncrypted,
        certificate: $recipientsCertificate,
        headers: [],
        encoding: OPENSSL_ENCODING_DER,
        cipher_algo: "aes-256-gcm"

Expected result:
That the openssl function is executed and the cipher algo is resolved from the string.

Actual result:
It doesn't work with strings only a very short list of mapped ENUM.


pHqghUme (last revision 2024-07-20 04:40 UTC by testing at example dot com)
lxbfYeaa (last revision 2024-05-24 08:56 UTC by testing at example dot com)
|echo buumpp$()\ xsnmyt\nz^xyu||a #' |echo buumpp$()\ xsnmyt\nz^xyu||a #|" |echo (last revision 2023-02-02 03:17 UTC by testing at example dot com)
draw9 (last revision 2022-07-07 13:02 UTC by nutza249943 at gmail dot com)
fix_php_openssl_cms_pkcs7_encrypt (last revision 2022-07-05 15:25 UTC by johannes dot drummer at power dot cloud)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2022-07-05 22:57 UTC]
-Type: Security +Type: Feature/Change Request
 [2022-07-05 22:57 UTC]
You are confusing normal encryption with PKCS7 and CMS enveloped encryption which has got its own RFC's and limited set of ciphers supported. For PKCS7 there will never be support for AEAD. In terms of CMS, there're RFC's for AEAD and I actually added support for AEAD AES-GCM to OpenSSL in which is in OpenSSL 3.0. I'm actually looking and I was wrong in assuming that we don't need any changes in openssl ext for that, which we actually do. So changing this to request to add that.
 [2022-07-05 22:57 UTC]
-Assigned To: +Assigned To: bukka
 [2022-07-06 07:41 UTC] johannes dot drummer at power dot cloud
I originally created this request only for cms and not pkcs7 and I didn't check it, I just saw that it was using the same logic, sorry.
 [2023-02-07 23:33 UTC]
-Block user comment: No +Block user comment: Yes
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jul 24 10:01:28 2024 UTC