Bug #61930 [Asn->Csd]: openssl corrupts ssl key resource when using openssl_get_publickey()

Sun, 17 Feb 2013 13:30:49 -0800 

Edit report at https://bugs.php.net/bug.php?id=61930&edit=1

 ID:                 61930
 Updated by:         [email protected]
 Reported by:        [email protected]
 Summary:            openssl corrupts ssl key resource when using
                     openssl_get_publickey()
-Status:             Assigned
+Status:             Closed
 Type:               Bug
 Package:            OpenSSL related
 Operating System:   *
 PHP Version:        5.4.2
 Assigned To:        pajoye
 Block user comment: N
 Private report:     N

 New Comment:

Automatic comment on behalf of stas
Revision: 
http://git.php.net/?p=php-src.git;a=commit;h=7b0107cc5d3d90655957680ef9cf916dce6875a7
Log: fix bug #61930: openssl corrupts ssl key resource when using 
openssl_get_publickey()


Previous Comments:
------------------------------------------------------------------------
[2012-05-03 20:21:08] [email protected]

The problem happens because php_openssl_evp_from_zval on receiving resource 
with 
public key, is doing just this:


if (resourceval) {
*resourceval = Z_LVAL_PP(val);
}

and then:

return (EVP_PKEY*)what;

while openssl_pkey_get_public() does this:

Z_TYPE_P(return_value) = IS_RESOURCE;
pkey = php_openssl_evp_from_zval(cert, 1, NULL, 1, &Z_LVAL_P(return_value) 
TSRMLS_CC);

so the refcount of the resource in return_value is never increased, even though 
it is assigned now to another variable. When the return_value is freed, so is 
the resource, thus corrupting data in $key.

------------------------------------------------------------------------
[2012-05-03 20:18:08] [email protected]

Description:
------------
If openssl_get_publickey() is applied to a key resource, the resource that 
comes 
out of it has wrong refcount and if freed, the argument of 
openssl_get_publickey() gets freed too. 

Test script:
---------------
If we have a certificate in $cert and data in $data and valid signature in 
$sign, this works:


$key = openssl_get_publickey($cert);
var_dump(openssl_verify($data, $sig, $key));

however this does not:

$key = openssl_get_publickey($cert);
var_dump(openssl_get_publickey($key));
var_dump(openssl_verify($data, $sig, $key));

it produces errors like this:


Warning: openssl_verify(): 4 is not a valid OpenSSL X.509/key resource in 
/Users/smalyshev/osslbug.php on line 29

Warning: openssl_verify(): supplied key param cannot be coerced into a public 
key in /Users/smalyshev/osslbug.php on line 29




------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=61930&edit=1

Reply via email to