openssl corrupts ssl key resource when using openssl_get_publickey()
| Bug #61930 | openssl corrupts ssl key resource when using openssl_get_publickey() | ||||
|---|---|---|---|---|---|
| Submitted: | 2012-05-03 20:18 UTC | Modified: | 2012-05-13 03:14 UTC | ||
| From: | stas@php.net | Assigned: | pajoye (profile) | ||
| Status: | Closed | Package: | OpenSSL related | ||
| PHP Version: | 5.4.2 | OS: | * | ||
| Private report: | No | CVE-ID: | None | ||
[2012-05-03 20:18 UTC] stas@php.net
Description: ------------ If openssl_get_publickey() is applied to a key resource, the resource that comes out of it has wrong refcount and if freed, the argument of openssl_get_publickey() gets freed too. Test script: --------------- If we have a certificate in $cert and data in $data and valid signature in $sign, this works: $key = openssl_get_publickey($cert); var_dump(openssl_verify($data, $sig, $key)); however this does not: $key = openssl_get_publickey($cert); var_dump(openssl_get_publickey($key)); var_dump(openssl_verify($data, $sig, $key)); it produces errors like this: Warning: openssl_verify(): 4 is not a valid OpenSSL X.509/key resource in /Users/smalyshev/osslbug.php on line 29 Warning: openssl_verify(): supplied key param cannot be coerced into a public key in /Users/smalyshev/osslbug.php on line 29
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2012-05-03 20:21 UTC] stas@php.net
The problem happens because php_openssl_evp_from_zval on receiving resource with public key, is doing just this: if (resourceval) { *resourceval = Z_LVAL_PP(val); } and then: return (EVP_PKEY*)what; while openssl_pkey_get_public() does this: Z_TYPE_P(return_value) = IS_RESOURCE; pkey = php_openssl_evp_from_zval(cert, 1, NULL, 1, &Z_LVAL_P(return_value) TSRMLS_CC); so the refcount of the resource in return_value is never increased, even though it is assigned now to another variable. When the return_value is freed, so is the resource, thus corrupting data in $key.[2012-05-13 03:14 UTC] stas@php.net
-Assigned To: +Assigned To: pajoye
[2013-02-17 21:30 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2014-08-10 12:29 UTC] fuzzy76 at fuzzy76 dot net